Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!uwm.edu!rpi!zaphod.mps.ohio-state.edu!usc!ucla-cs!elroy.jpl.nasa.gov!decwrl!ucbvax!hplabs!otter!tgg
From: tgg@otter.hpl.hp.com (Tom Gardner)
Newsgroups: comp.lang.c
Subject: Re: Unix System Security
Message-ID: <1670020@otter.hpl.hp.com>
Date: 10 Jan 90 17:37:21 GMT
References: <1989Dec12.014608.12607@polyof.poly.edu>
Organization: Hewlett-Packard Laboratories, Bristol, UK.
Lines: 30

David Newall                     Phone:  +61 8 343 3160
Unix Systems Programmer          Fax:    +61 8 349 6939
Academic Computing Service       E-mail: ccdn@levels.sait.oz.au
SA Institute of Technology       Post:   The Levels, South Australia, 5095

writes:

>>tgg@otter.hpl.hp.com (Tom Gardner) writes:
>> Posting details of known UNIX security holes to the net is a *very* bad idea;
>> I hope the reasons are obvious.

>Do you suggest that the bad people won't find out about security holes if
>those holes aren't published?  So naive...

Please reread my posting; I implied no such thing. To use an analogy of dubious
validity, gun control does not prevent  murder, but it  does reduce the problem
(is that a sufficiently contentious statement? ;-} ).

>Personally I wish to hear about problems as soon as possible; so they can be
>fixed.  What would *you* suggest is the best way of securing Unix?

Sorry, my magic wand is fresh out of twinkle dust today... ;)

I want to hear about *fixes* as quickly as possible. The original posting could
have  resulted in details  of *open* holes being widely  circulated and read by
persons of unknown responsibility; I hope you would agree that would be unwise.

As  to  how to get Unix  holes   plugged: there    are a number  of conflicting
approaches  each of which  has advantages  and  disadvantages, and I  have   no
intention of proposing The Answer (tm). What is your Answer?