Xref: utzoo comp.unix.wizards:25605 alt.security:2534 Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!usc!elroy.jpl.nasa.gov!jato!dave From: dave@jato.jpl.nasa.gov (Dave Hayes) Newsgroups: comp.unix.wizards,alt.security Subject: Re: tty security problems under SunOS 4.1 and SunOS 4.1.1 Message-ID: <1991May14.184506.4756@jato.jpl.nasa.gov> Date: 14 May 91 18:45:06 GMT References: <25239:May1416:21:3591@kramden.acf.nyu.edu> Reply-To: dave@jato.jpl.nasa.gov Organization: Jet Propulsion Lab - Pasadena, CA Lines: 72 brnstnd@kramden.acf.nyu.edu (Dan Bernstein) writes: >However, the bugs are not fixed. I was able to adapt my breaking >program---still using the same holes that I posted some years back---to >SunOS 4.1 and 4.1.1, both with and without the new telnetd/rlogind. >Mitch Wright has agreed to be a reference for this. I believe the new >version will also survive ``uncover''. Great. Thanks for your support. *sigh* I dunno why, but I am beginning to enjoy bashing you. However there does come a time to be a bit less frivolous. (WARNING: Slight meta-psychological digression here.) You asked: >Why do people think this way? What is so difficult about logic and >common sense that they have to be replaced by testing? You can't play >around with security---and given how easy it is to *guarantee* that a >mechanism is secure, there's no reason to play around. Yes, people ARE different aren't they? Have you ever considered that these people can't fix something they don't understand? Let's take this further...do you think that they'd ever WANT to understand when the information is presented in a negative way? Have you ever observed that when you tell a person outright that they are wrong...that they start to get even MORE wrong and MORE illogical and extremely nonsensical? Have you ever noticed that this phenomena also occurs when remarks about intelligence are made, or insinuations about stupidity are made? You know, I'll level with you. For all my negative remarks that I make about you (and still feel like making)...I realize (in my own folly) that because of this you won't listen to a word I say...it doesn't matter whether or not my remarks make sense. Now look at these two paragraphs: >Sun's patched telnetd and rlogind do stop one program. That's good. But >the CERT announcement implies that the patches are a ``SOLUTION'' to the >entire vulnerability of the tty subsystem. That's absolutely wrong. The >documentation inside Sun's patched source claims that the new versions >will detect whenever a tty is open. That's absolutely wrong too. >I hope the SunOS 4.1.1 example gives people a healthy level of distrust >for vendors' claims that a hole has been fixed. Sun---that's right, >powerful vendor Sun---was told about a security-breaking program, did >manage to stop that program, and then didn't look before it leaped into >the claim that the problem was now completely solved. Can you see how this applies to vendors? Sure, they resist making changes and I've had some pretty bad experiences with them. Why? Because we give them so much flak about these things. (I'm no exception) It's no wonder that they resist some guy who has nothing better to do than find out what they did wrong. Humans spend 80% of their lives pointing out others mistakes...if we spent half that time learning to correct them we'd probably be in a better place than we are now. SO when you ask "Why do people...", you might consider what effect you have had on them first. Perhaps in the case of the wayward vendors, you might offer them a comprehensive and SIMPLE solution to this problem, instead of just jumping up and down and pointing out the mistake. After all...coming up with break code doesn't really help you come up with a fix now, does it? -- Dave Hayes - Network & Communications Engineering - JPL / NASA - Pasadena CA dave@elxr.jpl.nasa.gov dave@jato.jpl.nasa.gov ames!elroy!dxh "It is a dragon, destroyer of all," cried the ants. Then a cat caught the lizard.