Xref: utzoo comp.unix.wizards:25324 alt.security:2400 Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!sdd.hp.com!spool.mu.edu!snorkelwacker.mit.edu!paperboy!hsdndev!cmcl2!kramden.acf.nyu.edu!brnstnd From: brnstnd@kramden.acf.nyu.edu (Dan Bernstein) Newsgroups: comp.unix.wizards,alt.security Subject: Re: BSD tty security, part 4: What You Can Look Forward To Message-ID: <7363:May202:45:0591@kramden.acf.nyu.edu> Date: 2 May 91 02:45:05 GMT Article-I.D.: kramden.7363:May202:45:0591 References: <1991Apr30.164646.11693@pcserver2.naitc.com> <26844:May100:59:2591@kramden.acf.nyu.edu> <13266@goofy.Apple.COM> Organization: IR Lines: 55 In article <13266@goofy.Apple.COM> erc@Apple.COM (Ed Carp) writes: > In article <26844:May100:59:2591@kramden.acf.nyu.edu> brnstnd@kramden.acf.nyu.edu (Dan Bernstein) writes: > >Let me be more explicit. I consider vendors to have a legitimate > Oh? I do consulting for a vendor, notably Apple. Fine. So tell someone working on A/UX to get in touch with me. > I also do consulting > for a number of very large companies in the bay area, notably a very large > public utility. [ ... ] > IMHO, your attitude is irrational. How many sites do I have to administer > to qualify? One? Five? A hundred? [ ... ] > You haven't addressed the issue of whether I'm a cracker or not. Being a > system administrator of a hundred systems doesn't prove you're a good guy, > any more than being the administrator of one makes you a bad guy. Somehow certain people have formed the mistaken impression that I have been treating large sites differently from small sites. As I have tried to explain, I do *not* see a fine line between the administrator of one machine and the manager of a network of ten thousand machines. I have not made and will not make a policy of sending break code to anyone who asks---exactly *because* wide distribution of the code will eventually reach the ``bad guys'', will affect practically every UNIX machine on the Internet, and won't be traceable. So (as Dave Hayes can assure you) I haven't been sending code to people merely because they manage a ``large enough'' network. Would you like to reevaluate my ``irrational'' position, now that you have some idea of what my position actually is? > There's NO WAY that you're going to > get all vendors to distribute fixes, let alone distribute them FOR FREE. If a vendor doesn't react by October 1992, its systems will be open to attack by any novice with rn and cc. Don't get the idea that I trust vendors to fix problems; I just want to give the more sensible ones a chance to clean up their act. I suspect that at least some will react. I'd like to request once again that people read my articles before spouting off about the proper distribution of security information. I *have* posted fixes, not just complained about these holes. I have *not* indicated that large sites are getting any special treatment, nor have I been giving them any special treatment. I *have* set a date for distributing code---a date far enough in the future that any concerned vendor can fix its systems. This may not be the optimal policy for handling a security hole, but it's the best policy I've come up with, and I'm not going to listen to complaints from people who can neither formulate a consistent alternative policy nor think through its effects. The intelligent man does not criticize what he cannot improve. ---Dan