Xref: utzoo comp.protocols.tcp-ip:5330 comp.unix.wizards:12387 Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!cwjcc!ukma!psuvm.bitnet!cunyvm!ndsuvm1!ndsuvax!ncoverby From: ncoverby@ndsuvax.UUCP (Glen Overby) Newsgroups: comp.protocols.tcp-ip,comp.unix.wizards Subject: Re: Crackers and Worms Summary: What about THE mailing list? Keywords: bug reality Message-ID: <1776@ndsuvax.UUCP> Date: 13 Nov 88 22:39:22 GMT References: <1698@cadre.dsl.PITTSBURGH.EDU> <2060@spdcc.COM> <1240@ucsd.EDU> <8388@nlm-mcs.arpa> <44444@beno.seismo.CSS.GOV> <1727@c Reply-To: ncoverby@ndsuvax.UUCP (Glen Overby) Organization: North Dakota State University, Fargo Lines: 26 In article <1727@cadre.dsl.PITTSBURGH.EDU> sean@cadre.dsl.pittsburgh.edu (Sean McLinden) writes: >It is clear from Rick Adams' comments that 'not wanting to tip anyone off' >is no excuse. Even binary-only sites can be protected fairly rapidly if >the appropriate channels are used. This sort of thing has been a pretty big issue lately, so I thought I'd chip in a few comments. If information about bugs (or, should I say, "misfeatures") in Unix (or really any OS) should not be publicly disclosed to protect those who either do not or can not repair them, then HOW should such "classified" information be distributed to those who want/need it, and can and will fix the holes? Not but a few weeks ago there was a "discussion" on one of the news.* groups about the Security mailing list (there are two of them, but thats irrevalent here) which is restricted to "trusted" people (those who are "root" on a "major machine" -- whatever that means). Now, if information about security bugs is too risky for distribution among that elite group of "system gods", then should that information be exchanged over network mail systems at all? (e.g. to 4bsd-bugs@ucbvax). I think all of this sort of information should be distributed at least over the private security forum; Vendor releases just aren't frequent enough to fix these problems in a timely manner. Glen Overby ncoverby@plains.nodak.edu uunet!ndsuvax!ncoverby ncoverby@ndsuvax (Bitnet)