Xref: utzoo comp.bugs.4bsd:1096 comp.unix.wizards:12674
Path: utzoo!utgpu!watmath!clyde!att!rutgers!cmcl2!nrl-cmf!ames!lll-lcc!lll-tis!helios.ee.lbl.gov!pasteur!agate!saturn!ucscc.UCSC.EDU!haynes
From: haynes@ucscc.UCSC.EDU (99700000)
Newsgroups: comp.bugs.4bsd,comp.unix.wizards
Subject: Re: hosts.equiv considered harmful (was Re: bin owning files)
Keywords: bin, root, /etc/hosts.equiv
Message-ID: <5538@saturn.ucsc.edu>
Date: 19 Nov 88 19:32:32 GMT
References: <566@comdesign.CDI.COM> <5494@saturn.ucsc.edu> <185@bnr-fos.UUCP>
Sender: usenet@saturn.ucsc.edu
Reply-To: haynes@ucscc.UCSC.EDU (Jim Haynes)
Organization: California State Home for the Weird
Lines: 21

In article <185@bnr-fos.UUCP> hwt@bnr-public.UUCP (Henry Troup) writes:
>I just checked my SunOS 4.0 *distribution tape* hosts.equiv.  The 
>file consists of "+\n".  A quick RofTFM shows that this means 
>***trust everyone***  Surprise!
> 
>So- In light of the worm, and this, we should realize that out-of-the-
>box systems are not well secured.

At the recent Usenix security workshop this was the #1 complaint that
we asked the vendors present to take back to their companies.  There was
one man from Sun there - most other vendors were less well represented.

A second point was that vendors ought to have one contact person for
all security-related problems, rather than farming them out to developers
who handle the individual pieces of software separately.
haynes@ucscc.ucsc.edu
haynes@ucscc.bitnet
..ucbvax!ucscc!haynes

"Any clod can have the facts, but having opinions is an Art."
        Charles McCabe, San Francisco Chronicle