Xref: utzoo comp.unix.wizards:25355 alt.security:2415
Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!sample.eng.ohio-state.edu!purdue!haven.umd.edu!decuac!hussar.dco.dec.com!mjr
From: mjr@hussar.dco.dec.com (Marcus J. Ranum)
Newsgroups: comp.unix.wizards,alt.security
Subject: Re: BSD tty security, part 4: What You Can Look Forward To
Message-ID: <1991May03.010840.5268@decuac.dec.com>
Date: 3 May 91 01:08:40 GMT
References: <13266@goofy.Apple.COM> <7363:May202:45:0591@kramden.acf.nyu.edu> <1991May2.195305.13628@pcserver2.naitc.com>
Organization: Digital Equipment Corp., Washington Ultrix Resource Center
Lines: 17

kdenning@genesis.Naitc.Com (Karl Denninger) writes:
> brnstnd@kramden.acf.nyu.edu (Dan Bernstein) writes:
>>If a vendor doesn't react by October 1992, its systems will be open to
>>attack[...]
>
>You're giving them WAY too much slack.

	I agree - that's giving the vendors a lot of slack. But, bear in
mind that not only are you (hopefully) going to embarrass vendors into
patching broken code - by posting the keys you are leaving a lot of sites
wide open to attack, sites that are not "guilty" and therefore deserve
some slack themselves.

	This is a tricky issue, and it's not, I respectfully submit, as
simple as bashing a vendor.

mjr.