Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!wuarchive!uunet!mcsun!ukc!cf-cm!bharat From: bharat@computing-maths.cardiff.ac.uk (Bharat Mediratta) Newsgroups: comp.unix.wizards Subject: Re: Should Dan post full details of his tty bugs? Message-ID: <1991May9.155614.14378@cm.cf.ac.uk> Date: 9 May 91 15:56:14 GMT References: <26821@adm.brl.mil> Sender: news@cm.cf.ac.uk (USENET News System) Organization: University of Wales College of Cardiff Lines: 53 In article <26821@adm.brl.mil> konczal@sunmgr.ncsl.nist.gov (Joe Konczal) writes: > > From: bill > Date: 4 May 91 20:14:46 GMT > > In article <1991May3.183159.23747@maths.tcd.ie> > chogan@maths.tcd.ie (Christine Hogan) writes: > : In <4601@skye.ed.ac.uk> richard@aiai.ed.ac.uk (Richard Tobin) writes: > : >For this reason I believe it would be best for Dan to post full details > : >of the various loopholes. > : I disagree. I _don't_ have sources and I _do_ have lots [stuff deleted] >If Dan posted full details, those who don't have the source to their >operating systems would still be unable to close the loopholes, but >many other undergrads, who are not smart enough or motivated enough to >figure it out on their own, would now know how to abuse these >loopholes. > >If you really need to know the details of the loopholes Dan is talking >about why don't you try to convince him to send them to you, instead >of writing yet another naive, "doesn't every SA have the OS source, >and the time and ability to fix it immediately?", message to the >network. Unfortunately, this whole deal is the result of something that never should have happened. System administrators are notably busy all the time, whereas idle hackers usually (by definition) have a great deal of idle time. Who do you suppose is going to be able to react better to a few hints, an overworked system administrator or some eager hacker? Administrators are busy and don't want to deal with poring through the manuals to figure out the hints than Dan has dropped in order to patch some obscure bug with tty. An undergrad with a lot of free time on his hands (which is the majority, let's face it) is going to be a lot more enthusiastic about spending a few hours with the old manuals if it means he can find a new and intersting loophole in security. All that this discussion has accomplished is to weaken the security of another thousand sites. The correct response would have been to tell the people who developed the system and let them take care of it. They know who the authorized vendors are, and the vendors know who the authorized system administrators are. Sure, it'll take a while to get all the way down to the system administrators, but at least that way the whole USENET doesn't know about the latest security hole. This isn't the newsgroup for flames or for personal insults, and neither is it the group for undermining system security. The best thing to do is for Dan send the fix to the developers and drop the subject. Maybe that way we can prevent even more people from learning the trick. -- | Bharat Mediratta | JANET: bharat@cm.cf.ac.uk | +--------------------+ UUNET: bharat%cm.cf.ac.uk%cunyvm.cuny.edu@uunet.uucp | |On a clear disk... | uk.co: bharat%cm.cf.ac.uk%cunyvm.cuny.edu%uunet.uucp@ukc| |you can seek forever| UUCP: ...!uunet!cunym.cuny.edu!cm.cf.ac.uk!bharat |