Xref: utzoo news.groups:6278 news.sysadmin:1615
Path: utzoo!attcan!uunet!husc6!mailrus!ames!sgi!vjs@rhyolite.SGI.COM
From: vjs@rhyolite.SGI.COM (Vernon Schryver)
Newsgroups: news.groups,news.sysadmin
Subject: Re: Proposal for comp.security/alt.security
Summary: tell everyone if you want it fixed
Message-ID: <22274@sgi.SGI.COM>
Date: 20 Nov 88 00:57:26 GMT
References: <2347@isis.UUCP> <22460@tis.llnl.gov> <1147@unisec.usi.com> <38151@zardoz.UUCP>
Sender: daemon@sgi.SGI.COM
Distribution: na
Organization: Silicon Graphics, Inc., Mountain View, CA
Lines: 36

In article <38151@zardoz.UUCP>, neil@zardoz.UUCP (Neil Gorsuch) writes:
> Any commercial or educational site listed in the uucp maps can be added
> by a mail request from root or one the email contacts or the map entry writer.
> Any commercial or educational site listed in the MX tables can be added
> by a mail request from root.

All of the talk about dirty, nasty, greedy, lazy vendors is kind of silly
if you are going to keep this stuff secret.

You "SA's" do occassionally install new releases, don't you?  Do you
sometimes install new systems, occassionally from a different vendor?  Do
you want the holes fixed, or are you simply accumulating your own bags of
security holes, for your own use, whether to impress your clients and
bosses or for worse?

You need to tell every vendor from whom you might ever purchase a system,
ideally including those not on the Internet or Usenet.  (Yes, there are
companies my current employer thinks are competators which are on
neither.  Of course, you are more than welcome to disagree about this.)

The people who administrate the gateways usually have nothing to do with
the people who build and fix the products.  (It is a sign of a small or
until recently small company when the MIS types have not been able to wrest
control of the gateway from engineering.)  If you tell Foo Inc about a
bug, and it is a real bug, 100 to 1000 people will be privy to it.  At
most one will be an "SA", and three or four might know the root password
of foo.com.  (In bigger companies than I've worked for, that might be
>>1000.)

In sum, if you're not basically a 'bad-guy' yourself, you're going to
end up letting many unwashed people in on the secret.  The longer you
delay, the longer it will take to get it fixed.

Vernon Schryver
Silicon Graphics
vjs@sgi.com