Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!seismo!brl-adm!adm!MRC%PANDA@SUMEX-AIM.Stanford.EDU
From: MRC%PANDA@SUMEX-AIM.Stanford.EDU (Mark Crispin)
Newsgroups: comp.unix.wizards
Subject: Re: UNIX-WIZARDS Digest  V3#078
Message-ID: <4839@brl-adm.ARPA>
Date: Tue, 10-Mar-87 07:41:04 EST
Article-I.D.: brl-adm.4839
Posted: Tue Mar 10 07:41:04 1987
Date-Received: Tue, 10-Mar-87 21:57:38 EST
Sender: news@brl-adm.ARPA
Lines: 27


     Back in prehistoric times when us ancient timers were dealing with
dinosaur operating systems such as TOPS-20, there was a strong feeling
that we should *fix* all security bugs.  Of course, any security features
could be compromised by having an idiot as a system manager, but did our
damned best to close security holes.  Oh, doubtless a TOPS-20 system
would eventually fall to a determined attack by someone at my level of
expertise, but it would take a fair amount of time.

     "Security through obscurity" is no security at all.  If you are
aware of a Unix security bug, you MUST assume that the crackers know of
it and take action to fix or at least work around it.  If you fail to
fix a known security bug, then you deserve to have your system trashed
by a cracker.  You knew the potential consequences of your actions when
you decided the security bug was "too obscure for anyone else to find
out about."  When you failed to publicize the bug, you are indirectly
responsible for some other system getting trashed.  If you discovered
it, you should assume a cracker has discovered it (or is in the process
of discovering it).

     Of course, such an attitude would wipe out the fly-by-night vendors
of boxes running ancient versions of an old BSD tape.  Everyone would
know how to crack such systems, and only vendors who keep up on the
software technology will survive.

     I call it Natural Selection and A Good Thing.
-------