Path: utzoo!utgpu!attcan!uunet!husc6!mailrus!ncar!boulder!pikes!udenva!isis!aburt
From: aburt@isis.UUCP (Andrew Burt)
Newsgroups: news.sysadmin
Subject: Re: Unix security list - status & more
Message-ID: <2357@isis.UUCP>
Date: 9 Nov 88 15:08:27 GMT
References: <2355@isis.UUCP> <4646@bsu-cs.UUCP>
Reply-To: aburt@isis.UUCP (Andrew Burt)
Organization: Math/CS, University of Denver
Lines: 30

In article <4646@bsu-cs.UUCP> dhesi@bsu-cs.UUCP (Rahul Dhesi) writes:
>In article <2355@isis.UUCP> aburt@isis.UUCP (Andrew Burt) writes:
>>Thus what should be widely publicized are not the security holes, but
>>the existence of the (private) list.
>
>And ironically enough, even as this discussion continues, thousands of
>machines are bitten by a simple security hole in sendmail that could
>have been fixed *had it been widely publicized*.

Suppose the holes had been publicized before the worm attack.  Would public
discussion of methods of breaking in have saved any more sites than just
posting the patches without explaining what explicit problem they solve?

An ideal situation would be this: List member finds hole, submits to list,
list members fix, tell vendors, (now the tricky part) vendors send out
fixes to sites (particularly to those without source).

I'm not against fixing problems, I'm against widely publicizing what those
problems are.  There are always people who will abuse such information that
comes their way.  I maintain that stopping N lazy hackers does much more
good than informing N (busy) sysadmins what could happen.  Inform the N
sysadmins how to FIX the problem, sure.  But don't give away any more
information than is stricly needed to accomplish this.


-- 

Andrew Burt 				   			ncar!isis!aburt

	      "Now go away or I shall taunt you a second time."