Xref: utzoo comp.unix.wizards:25335 alt.security:2404
Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!samsung!uunet!stanford.edu!hsdndev!cmcl2!kramden.acf.nyu.edu!brnstnd
From: brnstnd@kramden.acf.nyu.edu (Dan Bernstein)
Newsgroups: comp.unix.wizards,alt.security
Subject: Re: BSD tty security, part 4: What You Can Look Forward To
Message-ID: <11974:May214:00:3691@kramden.acf.nyu.edu>
Date: 2 May 91 14:00:36 GMT
References: <1991Apr30.164646.11693@pcserver2.naitc.com> <721@seqp4.UUCP>
Organization: IR
Lines: 26

In article <721@seqp4.UUCP> jdarcy@seqp4.ORG (Jeff d'Arcy) writes:
> The fact is that Dan would hardly be the first
> person to make such an offer without having the goods to back it up.

As Steve Bellovin, Gene Spafford, Tom Christiansen, various BSD folks
including Marc Teitelbaum and Keith Bostic, CERT, and a couple of other
people can attest, I *do* have the goods: a program that compiles, runs,
and breaks tty security sufficiently well to invisibly execute a command
under other people's sessions. I've had the program since before my
first article here about tty security a few years back, and it's
required only minor changes to work on systems through the latest BSD.
While in some alternate universe I might conceivably ``make such an
offer without having the goods to back it up,'' in reality I *do* have
what I have claimed.

That's the fact, Jeff. I again invite you and everyone else to stop
spouting the same tired old rhetoric and start paying attention to this
case on its own merits.

I don't expect to post further articles in this thread, as I find all
these counterfactual arguments remarkably counterproductive. I will
continue to watch for questions and complaints about the fixes, and if
necessary I will post comments about the security of specific machines.
In late 1992 we'll see how many vendors have woken up.

---Dan