Xref: utzoo comp.unix.wizards:25337 alt.security:2405 Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!wuarchive!uunet!bfmny0!tneff From: tneff@bfmny0.BFM.COM (Tom Neff) Newsgroups: comp.unix.wizards,alt.security Subject: Re: BSD tty security, part 4: What You Can Look Forward To Message-ID: <83658694@bfmny0.BFM.COM> Date: 2 May 91 10:32:03 GMT References: <1991Apr30.164646.11693@pcserver2.naitc.com> <721@seqp4.UUCP> <11974:May214:00:3691@kramden.acf.nyu.edu> Reply-To: tneff@bfmny0.BFM.COM (Tom Neff) Followup-To: alt.security Lines: 30 In article <11974:May214:00:3691@kramden.acf.nyu.edu> brnstnd@kramden.acf.nyu.edu (Dan Bernstein) writes: > I again invite you and everyone else to stop >spouting the same tired old rhetoric and start paying attention to this >case on its own merits. I suggest this invitation would not have been needed if 'brnstnd' had been somewhat more professional in his original announcement. I can't be the only one who found it a bit annoying. If we really want to help the net, we should remember it's made up of *people* who will have human reactions to what they read. It is, for instance, pretty easy to apply 'need to know' criteria when people ask for bug details, without going out of your way to trumpet the fact beforehand and p*** people off unnecessarily in the process. It's also a good idea to try and keep factual discussions of specific security problems separate from editorializing about who ought to know what, when, etc. There's already too much of a tendency to combine these threads in ordinary followups. A new, primary posting that deliberately combines security facts and editorializing is guaranteed to fan the flames! And my point is that experienced posters can and should know this up front. It's a question of how you want the discussion to proceed. If you WANT to start a brawl, it's not hard to do. I don't think the net is best served that way. In this case it would probably have been enough to say "I seem to have found a security bug in BSD ttys; the following vendors and versions are known to be affected; the following are known to be OK; for further details mail me at
." No big fuss, no cause celebre, just quiet, effective response.