Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!utgpu!water!watmath!clyde!rutgers!sunybcs!kitty!bakerst!kathy
From: kathy@bakerst.UUCP
Newsgroups: unix-pc.general,comp.sys.att
Subject: Re: Irresponsibility (Was: Security problem on UNIX PC's)
Message-ID: <938@bakerst.UUCP>
Date: Wed, 30-Sep-87 13:33:33 EDT
Article-I.D.: bakerst.938
Posted: Wed Sep 30 13:33:33 1987
Date-Received: Sat, 3-Oct-87 06:19:39 EDT
References: <54@quincy.UUCP> <149@manta.UUCP> <8700178@eta.ETA.COM>
Reply-To: kathy@bakerst.UUCP (Kathy Vincent)
Organization: Chocoholics Anonymous UnLtd, Winston-Salem, NC
Lines: 42
Keywords: security, root, problem, unix-pc
Xref: utgpu junk:5944 comp.sys.att:1175

In article <8700178@eta.ETA.COM> lm@eta.UUCP (Larry McVoy) writes:
>
>The best way to make a system secure is to do exactly what the
>poster did: broadcast the information on how to break in.  Then it is
>*your* problem as a systems administrator to fix it.  

Lenny said his purpose in posting was to help inexperienced,
novice UNIX pc administrators find holes and protect their machines
against those holes.  Sounds good to me.  He says he didn't post
directions.  (They look like directions to me in two cases out of
three, but, hey, I won't quibble.)  He also says the holes he mentioned
can be easily protected against with good administration.  But he doesn't
go into any details as to what, exactly, that easy protection and good
administration might be.  So he helped find a few holes, but he didn't
necessarily help anyone protect against those holes.

I want to know about holes, too - agreed.  Seems to me, though, that,
if you really want to be helpful, and if fixes and/or workarounds and/or
protections against those holes are really all that simple - and especially
if you're especially concerned about inexperienced administrators who may
be unfamilar with their hardware and/or software (which is, again, what
Lenny said he was concerned about) - then you post fixes or workarounds
or administration tips, too, in addition to the holes themselves.  That
would help people who may not yet have the experience or know-how to
follow *your* dictum:  "Then it is *your* problem as a systems
administrator to fix it."

I personally had mixed feelings about the original posting.  
I've been a little irritated by postings of other people that say,
in effect, "There's a TERRIBLE SECURITY HOLE in this machine - but
I won't tell you what it is,"  so I'm left with all these Vague
Feelings of Dread about what kinds of gaping holes there are that
I don't know about and wouldn't even know to look for, much less
how to guard against - but at least I could hope that knowledge
about the holes was relatively confined.  (Hey, I said I could
*hope*  :-)   I had something of Brant's reaction to Lenny's posting -
but I was also interested in seeing the specifics posted for a change,
so at least I have some idea where the problem is.


Kathy Vincent ------> Home: {ihnp4|mtune|codas|ptsfa}!bakerst!kathy
              ------> AT&T: {ihnp4|mtune|burl}!wrcola!kathy