Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!swrinde!elroy.jpl.nasa.gov!jato!dave From: dave@jato.jpl.nasa.gov (Dave Hayes) Newsgroups: comp.unix.wizards Subject: Re: BSD tty security Message-ID: <1991May13.223942.21459@jato.jpl.nasa.gov> Date: 13 May 91 22:39:42 GMT References: <26871@adm.brl.mil> Reply-To: dave@jato.jpl.nasa.gov Organization: Jet Propulsion Lab - Pasadena, CA Lines: 51 protin@pica.army.mil (Arthur W. Protin Jr.) writes: > I am getting very tired of the foolishness, personal attacks, and >(seeming) evilness going on in this thread on tty security. Yes, and I am getting tired of the lack of cooperation and mistrust going on in this community. It still exists, and I'll still complain about it but that ain't goin t'make it go away...dammit. 8) > THE CODE THAT DAN IS WITH HOLDING IS THE CODE THAT EXPLOITS THE >SECURITY BUG. It is not needed to fix the code. It is useful for >testing the fixes. It is useful indeed. My point (and I don't know who else agrees with me) is that not only is this code needed to assert the validity of any said fixes, but the code (or pseudo code) is needed to understand the hole. A logical case can be made for security holes to be exposed; good security is not based upon obscurity. >System administrators don't need to deal with the hints! Follow >the recipe. Do you trust someone who doesn't trust you? Please answer honestly, now. Personally, and professionally, I do not. I find it extremely difficult to trust someone else's fixes when they not only distrust me, but I have little or no understanding of exactly what needs to be fixed and why. >(for at least a significant set of machines). If you can not work >from his plan, you will not be able to anything more with the details >except exploit the bug! I disagree completely. If you have the details, you can eventually provide fixes...assuming competance. > Other than following Dan's step-by-step repair proceedure, SA's >can start to pressure their suppliers to fix or commit to fix the >bug. Give me a break, here. How many times has that failed? >Thank you, I just had to get that of my chest. You're welcome. Please acknowledge that I'd like to do the same. -- Dave Hayes - Network & Communications Engineering - JPL / NASA - Pasadena CA dave@elxr.jpl.nasa.gov dave@jato.jpl.nasa.gov ames!elroy!dxh He who has self-conceit in his head - Do not imagine that he will ever hear the truth.