Xref: utzoo news.admin:4040 news.sysadmin:1630 comp.mail.uucp:2311 Path: utzoo!attcan!lsuc!ecicrl!clewis From: clewis@ecicrl.UUCP (Chris Lewis) Newsgroups: news.admin,news.sysadmin,comp.mail.uucp Subject: Re: Dangerous hole in Usenet! Message-ID: <148@ecicrl.UUCP> Date: 20 Nov 88 17:42:44 GMT References: <1227@vsi1.UUCP> Reply-To: clewis@ecicrl.UUCP (Chris Lewis) Organization: Elegant Communications Inc. (CRL Division) Lines: 34 In article <1227@vsi1.UUCP> lmb@vsi1.UUCP (Larry Blair) writes: >It has come to my attention the there is a MAJOR hole created by the way >many sites administer their machines. This hole presents an opportunity >for ANYONE on the net to do severe damage to your system. For other sites >the hole is smaller, but still presents an opportunity for mischief. >I will send mail to anyone who is interested. I will ONLY send it to the >user "news" at your system. I wish I didn't have to be so cryptic, but I >don't want to give anyone ideas. H'm. I betcha that's the one that I've been hinting about for years. That almost every SA already knows (or *should* know) about. I was composing an article to send on this (with fewer hints), asking how I could get the information out, considering that people don't want security holes posted, the normal people to warn about this already know (eg: Rick, Gene etc.), it's *not* in software that any one person (or group) wrote, lots of people are too lazy to fix it (it's real easy to prevent), and I CAN'T EVEN GET THE DAMNED SECURITY LIST TO SEND ME AN APPLICATION! [Andrew Burt's procedure appears to be refusing to send me an application form - has the NSA told him to not send applications to furriners? ;-}] Anyways, I'm sending mail (from our news account as you've requested) to you about whether it's the same hole. If it's the same one, please post a note to the net saying so (along with e-mail back to me for good measure). If it's not the same hole, I'll post a message similar to yours. I'm *strongly* tempted to send out a harmless exploitation of this hole after giving SA's sufficient warning to get their act together. (I've been dreaming of "neat" ways of using it for years.... ;-) -- Chris Lewis {uunet!attcan,utgpu,yunexus,utzoo}!lsuc!ecicrl!clewis Ferret Mailing list: ...!lsuc!gate!eci386!ferret-request (or lsuc!gate!eci386!clewis or lsuc!clewis)