Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!usc!rutgers!cmcl2!adm!news From: protin@pica.army.mil (Arthur W. Protin Jr.) Newsgroups: comp.unix.wizards Subject: Re: BSD tty security Message-ID: <26871@adm.brl.mil> Date: 13 May 91 16:03:52 GMT Sender: news@adm.brl.mil Lines: 54 Folk, I am getting very tired of the foolishness, personal attacks, and (seeming) evilness going on in this thread on tty security. Dan posted a warning about a pretty serious security hole and more importantly about the indifference vendors have about fixing it. He threatened/promised to release a complete break-and-enter kit far enough into the future that any viable vendor could act to protect their products. He even included a step-by-step recipe for closing the hole. Then comes the demands for the details to be released now. With the exception of Keith Muller's postings, and those supporting Dan's position, the majority of postings in this thread have been nonsense or maliciousness. One poster who complained bitterly that Dan would not give him the dirt turned out to be from a vendor that, according to the poster, makes a unix variant that includes none of the problem code. Why should that poster need the code, except for malicious purposes? THE CODE THAT DAN IS WITH HOLDING IS THE CODE THAT EXPLOITS THE SECURITY BUG. It is not needed to fix the code. It is useful for testing the fixes. Thus, I find the following posting to be logically flawed: > System administrators are notably busy all the time, whereas idle > hackers usually (by definition) have a great deal of idle time. > Who do you suppose is going to be able to react better to a few > hints, an overworked system administrator or some eager hacker? System administrators don't need to deal with the hints! Follow the recipe. Leave the hints and/or other dealings with Dan to the systems programmers who commit to fixing the problem completely (for at least a significant set of machines). If you can not work from his plan, you will not be able to anything more with the details except exploit the bug! Other than following Dan's step-by-step repair proceedure, SA's can start to pressure their suppliers to fix or commit to fix the bug. As for the suggestion that undergraduate students could help solve the problem, Dan has already given them an assignment. In a year and a half, take the break-and-enter kit and test every system within reach. The dozens of machines here will only get fixed when the vendor supplies us with good code. What makes anybody think that there is a shortage of technical fixes? The BIGGEST problem is BUREAUCRACY and INDIFFERENCE at the vendors. We need a few good law suits or contract penalty clauses to motivate them. Thank you, I just had to get that of my chest. Arthur Protin Arthur Protin These are my personal views and do not reflect those of my boss or this installation.