Xref: utzoo comp.unix.wizards:25344 alt.security:2409 Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!swrinde!elroy.jpl.nasa.gov!jato!dave From: dave@jato.jpl.nasa.gov (Dave Hayes) Newsgroups: comp.unix.wizards,alt.security Subject: Re: BSD tty security, part 4: What You Can Look Forward To Message-ID: <1991May2.204132.12174@jato.jpl.nasa.gov> Date: 2 May 91 20:41:32 GMT References: <1991Apr30.164646.11693@pcserver2.naitc.com> <26844:May100:59:2591@kramden.acf.nyu.edu> <13266@goofy.Apple.COM> <7363:May202:45:0591@kramden.acf.nyu.edu> Reply-To: dave@elxr.jpl.nasa.gov Organization: Jet Propulsion Lab - Pasadena, CA Lines: 57 brnstnd@kramden.acf.nyu.edu (Dan Bernstein) writes: >Somehow certain people have formed the mistaken impression that I have >been treating large sites differently from small sites. As I have tried >to explain, I do *not* see a fine line between the administrator of one >machine and the manager of a network of ten thousand machines. I have >not made and will not make a policy of sending break code to anyone who >asks---exactly *because* wide distribution of the code will eventually >reach the ``bad guys'', will affect practically every UNIX machine on >the Internet, and won't be traceable. So (as Dave Hayes can assure you) >I haven't been sending code to people merely because they manage a >``large enough'' network. Yes, I can vouch for that. Dan has persisted in an arrogant and counter-survival attitude which affects the lives of nearly every damn sys admin responsible for computer security. Consider...good computer crackers can find out exactly how to exploit these holes from the information Dan has "graciously" (read 'teasingly') given us all. Why NOT distribute the code involved? The damage is already done. In fact, Dan has made a whole LOT of people 'wrong' in a sense of giving out a potential hole, and then proposing some long and tired hack to a system to patch it. Does this work? Has anyone tried it? Is it comphrehensive? Personally, I don't trust anyone that doesn't trust me. (COmmon sense) There's no way I would trust the integrity and completeness of Dan's patch...even though he may be competant enough to have provided the correct information. So that 'patch' he posted is basically worthless to me. (Yes, I could waste a good week figuring these things out for myself...this is neither desireable or the real point.) How many other sys admins out there feel like I do? I'd really like to know. >This may not be the optimal policy for handling a security hole, but >it's the best policy I've come up with, and I'm not going to listen to >complaints from people who can neither formulate a consistent >alternative policy nor think through its effects. The intelligent man >does not criticize what he cannot improve. Well, to "improve" something has different meaning to different people. I can not only criticize, I can supply you with an alternative. Provide enough details to enable someone to write a comprehensive program that can check for the existence of the holes that you specify on any system... then publish it. It's that simple. >---Dan -- Dave Hayes - Network & Communications Engineering - JPL / NASA - Pasadena CA dave@elxr.jpl.nasa.gov dave@jato.jpl.nasa.gov ames!elroy!dxh There is no greater calamity for a nation or individual than not finding contentment in one's sufficiency.