Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!utgpu!water!watmath!clyde!rutgers!ames!ucbcad!ucbvax!JPL-VLSI.ARPA!xrjjm%scint.span From: xrjjm%scint.span@JPL-VLSI.ARPA.UUCP Newsgroups: comp.os.vms Subject: (Curiosity about holes killed the cat?) Message-ID: <870610070344.05g@Jpl-VLSI.ARPA> Date: Wed, 10-Jun-87 10:03:38 EDT Article-I.D.: Jpl-VLSI.870610070344.05g Posted: Wed Jun 10 10:03:38 1987 Date-Received: Sat, 13-Jun-87 19:37:39 EDT Sender: daemon@ucbvax.BERKELEY.EDU Distribution: world Organization: The ARPA Internet Lines: 53 > From: *Hobbit* From: Fast-Eddie (John J. McMahon) > First: Deepest thanks to those brave souls who hauled off and posted the > patch. Same Here :-) > Second: In my opinion, which you may choose to ignore or not, having a > *system service* to muck with the UAF is stupid. I can only see two reasons > for having it: 1> So that you can have "group managers" who can bash their > underlings' accounts, Well, given the size of a project, and/or the availability of your System Manager, having a "group manager" could be helpful. We used to have a part-time system manager who was hard to get ahold of. It would have been great if we had somone who could apply changes to the UAF as we needed them. However what would be preferred would be a "mini-authorize" utility as opposed to a "Arcane" System Service (I still can't $GETUAI anything besides a bugcheck or nulls...) > Fourth: What I said about the high school kids was probably incorrect. > This > one is far too subtle for a "beginner" to deal with, unless I'm way out in > left field here. [I don't know yet because I haven't actually gotten it > to "work" for me yet.] Hackers get their info from unique sources. I doubt a high-schooler could find the bug, however given a clue as to where to find it I think they would find it (Eventually). > Paranoia is fine, as long as it derives from a realistic threat. Perhaps > we should splinter off a vms-security list, similar to the unix security > one whereon things like this are discussed openly and fixes freely > distributed. Well, it seems that the great "DECUS Security Hole" hunt has pointed out a few problems. Obviously, there is a need for a forum to point out minor and major problems, and distribute bug fixes as needed. However, most people like to know WHY a patch is being applied, or WHY something works. If for no other reason than to justify the patch to their system. An open forum on security can't justify patches posted to it, but how do you completely make a forum closed and safe ? *Flame Off* Just out of curiosity, anyone have a piece of FORTRAN code which shows how to call the $GETUAI system service properly ? I can't get the thing to return anything but nulls (or a bugcheck)... Oh well... Curiosity Killed The Cat ? Regards, John McMahon (aka Fast-Eddie)