Path: utzoo!attcan!uunet!convex!killer!ames!sgi!vjs@rhyolite.SGI.COM From: vjs@rhyolite.SGI.COM (Vernon Schryver) Newsgroups: news.sysadmin Subject: Re: A fix for ftpd Summary: what do you want for nothing? Keywords: ftpd Message-ID: <22234@sgi.SGI.COM> Date: 18 Nov 88 22:03:56 GMT References: <696@iraun1.ira.uka.de> <2978@ci.sei.cmu.edu> <271@popvax.harvard.edu> Sender: daemon@sgi.SGI.COM Organization: Silicon Graphics, Inc., Mountain View, CA Lines: 59 In article <271@popvax.harvard.edu>, mohamed@popvax.harvard.edu (Mohamed Ellozy) writes: > On the same topic, has any vendor sent fixes to the bugs that the worm > exploited to ALL users via paper mail? Do you think that vendors expect to be notified "via paper mail" by the ultimate vendor, BSD? Do you think that vendors think that $400 obligates BSD to fix all bugs forever? Do you think that vendors expect much out of AT&T for our many, many dollars? Do all "users" send support $ to their vendors? Do you? Do you think that postage, not to mention paper or time to write are free? Have you checked how much it costs to keep a good support person happily answering the phone lately? > The real lesson from the worm and ftpd is that vendors are not doing a very > good job. I have found tftpd enabled on two probably plain vanilla out > of the box Sun 386i's. And so on and so forth. What would be required to fit your definition of "good job?" Do you expect Sun to find every boxed 386i in the universe, and fix it within two weeks of the discovery of the problem? What about Sun 4's or Sun 3's? Sun 2's? Sun 1's? Forever? Are the sendmail and ftpd bugs the worst bugs in any current product from Sun or any other vendor? If so, you think most users of that product agree with you? Even the majority who are not directly connected to the Internet? Do you think every employee of every vendor has nothing better to do than read the megabytes of text posted about the recent problems? Do you think it is not almost pure drivel? (with some sterling exceptions, of course). Do you think that all or even most vendors are connected to usenet? To the Internet? What do you want Sun to do? Mail a $20 cartridge tape with new binaries for ftpd and sendmail to every household and dormatory room in the world within days of finding the problem? Do you want new software tested first? Do you know that there is at least one new bug in the fixed ftpd from BSD? Do you think that not having good wtmp records of the use of ftp is a security problem? How long will it be until you will be able to get fixed binaries from the sun-spots archives for your suns? At least some vendors, including, as far as I can tell, Sun, are doing a far better job of trying to fix such problems than vendors of other, more dangerous appliances. How many lives in how many years were consumed by Corvairs or Pintos after it was well known that problems existed? Be fair, or at least accurate. If you have constructive suggestions on how a vendor could release free fixes for things like the sendmail or ftpd bugs without getting in trouble with the Internet Police, with customers who pay for support, with whose who don't have the target machine and don't want to pay for the bandwidth, and with those who pay the bills, please let me know. SGI has found nothing that works. Vernon Schryver Silicon Graphics vjs@sgi.com