Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!uunet!husc6!bloom-beacon!gatech!udel!burdvax!bpa!cbmvax!vu-vlsi!cgh!manta!brant From: brant@manta.UUCP (Brant Cheikes) Newsgroups: comp.sys.att Subject: System security discussions Message-ID: <150@manta.UUCP> Date: Wed, 30-Sep-87 22:18:49 EDT Article-I.D.: manta.150 Posted: Wed Sep 30 22:18:49 1987 Date-Received: Wed, 7-Oct-87 01:31:19 EDT Reply-To: brant@manta.UUCP (Brant Cheikes) Distribution: world Organization: Philadelphia, PA Lines: 40 Keywords: UNIXpc security I am rather surprised to discover that so many people want security flaws publicized on the net. Clearly, what seemed obvious to me (and prompted my now roundly criticized article on the subject) is obvious only to me. The premise of my argument is that there are more people who would be tempted to exploit a hole once pointed out by, e.g., an article in comp.sys.att than there are people who could actually find such holes or recognize them as such if they stumbled across them. If you accept this premise, then you see that as soon as a security hole is advertised, the pool of potential exploiters (which we would like to keep as small as possible) increases dramatically. Once a security bug is publicly revealed, systems are left vulnerable to this large pool of exploiters until the hole is plugged (which isn't always easy, and doesn't always happen quickly). I should also point out that not all Unix PC systems are on Usenet. Posting security holes leaves those systems especially vulnerable, since the sysadmins aren't even privy to the discussions. It was this reasoning that led me to conclude that articles explicitly discussing security violations were a bad idea. What's sauce for the sysadmin is sauce for the hacker. A few active sysadmins benefit at the potential expense of too many others. At the very least, people should recognize that a cavalier attitude toward system security discussions is inappropriate in this forum. The best solution, to my mind, would involve pressuring AT&T to take an active position on Unix PC security and letting them serve as the clearinghouse for security-related bug reports and fixes. So despite what appears to be total lack of support for my position, I remain convinced that posting one's latest "Look Ma, I'm root!" is far more likely to do harm than good. Nevertheless, Lenny Tropiano certainly has my apologies for the inappropriately harsh tone I used toward him in my earlier posting. -- Brant Cheikes University of Pennsylvania Department of Computer and Information Science ARPA: brant@linc.cis.upenn.edu UUCP: ...cbmvax!cgh!manta!brant