Xref: utzoo comp.unix.wizards:25300 alt.security:2387 Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sun-barr!apple!erc From: erc@Apple.COM (Ed Carp) Newsgroups: comp.unix.wizards,alt.security Subject: Re: BSD tty security, part 4: What You Can Look Forward To Message-ID: <13266@goofy.Apple.COM> Date: 1 May 91 17:57:24 GMT References: <14683@ulysses.att.com> <1991Apr30.164646.11693@pcserver2.naitc.com> <26844:May100:59:2591@kramden.acf.nyu.edu> Organization: Apple Computer Inc., Cupertino, CA Lines: 45 In article <26844:May100:59:2591@kramden.acf.nyu.edu> brnstnd@kramden.acf.nyu.edu (Dan Bernstein) writes: >Let me be more explicit. I consider vendors to have a legitimate Oh? I do consulting for a vendor, notably Apple. I also do consulting for a number of very large companies in the bay area, notably a very large public utility. They also have a vested interest in anything that would enhance their security. >I do not consider someone to have a legitimate interest in >security-breaking code merely by virtue of being a system administrator. >If I did, then I should be sending the code to practically everyone--- >there's no fine line between the manager of a major site and the >``manager'' of a personal workstation. And that is an unacceptable risk. Well, then ... post it in alt.sources or alt.security.sources. Calls for votes, anyone? IMHO, your attitude is irrational. How many sites do I have to administer to qualify? One? Five? A hundred? You haven't addressed the issue of whether I'm a cracker or not. Being a system administrator of a hundred systems doesn't prove you're a good guy, any more than being the administrator of one makes you a bad guy. System administrators of a few sites face many (not ALL) of the same headaches of a large site. Backups, security, user management and disk management, just to name a few. >As for explaining this to your boss: I'm sorry I can't be any help here. >I note that it is a lot more cost effective for FooBar Computer Co. to >make fixes once and distribute them to 1000 admins than to have 1000 >admins each make fixes for themselves. Yes, but FooBar Co. (as you yourself have stated) just doesn't have any interest in fixing the bugs! Besides, do you have any idea how many different computer systems you're talking about impacting? There's NO WAY that you're going to get all vendors to distribute fixes, let alone distribute them FOR FREE. -- Ed Carp N7EKG/6 erc@khijol.UUCP ...uunet!khijol!erc UUWEST Consulting Alameda, CA 415/814-0550 Computers HAVE caused a revolution in how much information we can safely ignore! --robs@ux1.cso.uiuc.edu (Rob Schaeffer) -- Absolutely unabashed Gates McFadden groupie! --