Xref: utzoo comp.unix.wizards:25657 alt.security:2559 Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!swrinde!elroy.jpl.nasa.gov!jato!dave From: dave@jato.jpl.nasa.gov (Dave Hayes) Newsgroups: comp.unix.wizards,alt.security Subject: Re: tty security problems under SunOS 4.1 and SunOS 4.1.1 Message-ID: <1991May17.181554.26175@jato.jpl.nasa.gov> Date: 17 May 91 18:15:54 GMT References: <25239:May1416:21:3591@kramden.acf.nyu.edu> <1991May14.184506.4756@jato.jpl.nasa.gov> <7601@segue.segue.com> Reply-To: dave@jato.jpl.nasa.gov Organization: Jet Propulsion Lab - Pasadena, CA Lines: 83 jim@segue.segue.com (Jim Balter) writes: >Dan appears to have offered what he believes to be a comprehensive solution, >and as simple as he thinks he can make it. ("Make things as simple as >possible, but no simpler." -- Al E.) That maybe how it appears to you. I certainly don't know how it appeared to the vendors. I can only suspect that it appeared too complex and convoluted to vendors who would not listen....either that or the information is presented in a hostile way. Nevertheless Dan did ask a question. ("Why do people think this way") I merely answered. That's more than he's done for me. > The one jumping up and down is you. Damn straight. I have no problems jumping up and down about what is going on with disemmination of security infomration..and not just Dan's personal problem with being helpful (as opposed to determining what help everybody needs). I get paid to jump up and down about this stuff. I don't mind it one bit. >>After all...coming up with break code doesn't really help you come up >>with a fix now, does it? >Nor does posting it all over the net, now, does it? I'd be willing to wager a large amount of money that posting code over the net would produce a fix MUCH FASTER then coming up with the code. >Dan provides a solution but doesn't provide the break code. Ed Carp and >you and a bunch of others yell and scream in a most insulting, rude, impolite >and uninformed manner at Dan. Now think for a second. Why do you think that we feel the way we do? Note the common thread in the people who scream a lot (and I have a *BIG* mouth when I want to have one)...we all have a legitimate interest in any security problems over the internet. Dan, in all his holy infinite wisdom, has created an effect on us by posting enough information to produce more crackers but not enough to allow us to deal with them. Fortunately there are other members of the community here that have more consideration and less ego who are willing to help, but IMHO there's no excuse for Dan's behavior...and he shoudl EXPECT the rudeness (in fact I believe he revels in it). > Now you say that he should offer a solution but not come up with break code. > Go figger. You should. I was commenting upon his effort to break SunOS 4.1/4.1.1; trying to figure what that would get him. It was also a very sarcastic comment. >As I see it, a bunch of non-wizardly sys admins are trying to disrupt a >technical discussion about tty security problems and how to fix them, Boy this sounds elitist. I guess us humans do need to demonstrate their superiority over others time and time again...it's a fact of human nature. >with demands that some code that demonstrates the problem be posted so that >they can "understand the problem" and then go hack and slash or whatever >in order to "fix" the problem. This is simply not a competent approach >toward problem solving. It is also incompetant to post details of the problem if you aren't willing to post fixes/solutions and a description of the problem. I personally believe that security by obscurity isn't (what a time worn phrase), but if you believe different...then WHY POST ANYTHING AT ALL. Anything else is blatant and obnoxious hypocracy. If you aren't competent (meaning possessing required >knowledge and skills; nothing pejorative) to understand the problem from >the discussion so far, what can possibly make you think that you are competent >to solve the problem based upon the program that breaks the system? This is an assumption about the way people think. I guarantee you that there exists someone out there who couldn't understand the conceptual details until you showed them some code. Interestingly enough, there is a musician who I am teaching who doesn't understand a whit about altered dominant scales on paper, but when I played them for him he immediately understood. Please cut the rest of humanity some slack. There are a LOT of different types of people out here. -- Dave Hayes - Network & Communications Engineering - JPL / NASA - Pasadena CA dave@elxr.jpl.nasa.gov dave@jato.jpl.nasa.gov ames!elroy!dxh Think enough and you won't know anything!