Xref: utzoo comp.unix.wizards:25322 alt.security:2399
Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!samsung!crackers!m2c!seqp4!jdarcy
From: jdarcy@seqp4.ORG (Jeff d'Arcy)
Newsgroups: comp.unix.wizards,alt.security
Subject: Re: BSD tty security, part 4: What You Can Look Forward To
Message-ID: <721@seqp4.UUCP>
Date: 1 May 91 17:24:27 GMT
References: <1991Apr30.164646.11693@pcserver2.naitc.com>
Organization: Sequoia Systems, Marlboro MA
Lines: 23

kdenning@pcserver2.naitc.com (Karl Denninger) writes:
>ISC put their head in the sand until outrageous users started flooding 
                                      ^^^^^^^^^^^^^^^^
I've met a few of these.  8]

>>Incidentally, offering (threatening?) to post programs that exploit
>>the bugs is in itself a pretty good warrantee.  Dan wouldn't risk his
>>reputation if he didn't have those programs written already, I suspect.
>>
>>		--Steve Bellovin
>
>This is true.  So assume that the crackers already know about this.  Where
>does this leave you?

Risk his what?  Sorry, couldn't resist.  As much as I enjoy Bernstein-bashing,
that's not my purpose here.  The fact is that Dan would hardly be the first
person to make such an offer without having the goods to back it up.  Maybe he
will have them when the time comes; maybe he won't.

In any case, I think *posting* them would be irresponsible since, as Dan points
out himself, it will be *years* before the number of vulnerable vendors becomes
small enough to be discounted.  I think sending the programs to "responsible
individuals" (whoever they are) would be much better.