Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!swrinde!cs.utexas.edu!sun-barr!rutgers!cmcl2!adm!news From: protin@pica.army.mil (Arthur W. Protin Jr.) Newsgroups: comp.unix.wizards Subject: Re: BSD tty security Message-ID: <26893@adm.brl.mil> Date: 14 May 91 17:43:52 GMT Sender: news@adm.brl.mil Lines: 44 Greg, I am sorry to have say this but you are wrong when you say: >> THE CODE THAT DAN IS WITH HOLDING IS THE CODE THAT EXPLOITS THE >>SECURITY BUG. It is not needed to fix the code. > > It is needed if you're not bright enough to figure out what the bug is. If you are not "bright enough to figure out what the bug is", then you can do any of these four things: 1) apply the fixes that Dan provided; 2) start the flood of users requesting that their vendors fix the bug; 3) ignore it all and hope it goes away; 4) carry on like spoiled children and demand that Dan give you code that you are not bright enough to understand anyhow! If you cannot figure out what the problem is from all that has already been said, you will not fare much better with the code to exploit the bug (unless your goal is to exploit the goal). If you are not bright enough to figure how what the bug is by now, what makes you think you are bright enought to find an equally good alternative to Dan's formula? If you can can not follow Dan's proof that his fixes close the hole, then you really should turn this problem over to some one qualified to deal with it and you will have to be able to trust them because you will not be able to second guess them technically. Understand that when Dan does publish the code he has withheld, no one who had to wait for that code to fix the problem will be able to fix the problem before the crackers have run through their systems. Those who want the code published now want the affected systems violated now. thank you, Art Protin Arthur Protin These are my personal views and do not reflect those of my boss or this installation.