OC.TREI@CU20B.COLUMBIA.EDU (Peter G. Trei) (11/15/85)
Since the recent furor over the posting of some security holes in VMS, some readers have proposed that an 'INFO-VMS-SECURITY' list be created, and sent only to SYSTEM ids. This would prevent info from reaching some crackers, but also cut out many legitimate people. The machine I receive this list on is a DEC-20. The VAXen I wish to protect are not on any public network (for security reasons). We are faced with two mutually exclusive goals: 1. Ensure that ALL people who should know about security holes learn of them and their fixes as soon as possible. 1. Ensure that ALL people who should not know about security holes are prevented from learning of them as long as possible. There is no way to check credentials over the network, and even if we knew that every person receiving a list was a security manager on some system, some Jeckle/Hyde types will zealously protect their own system while trying to crack someone elses. It has been proposed that security patches be published without an explanation of the problem they are fixing. GREAT IDEA! In one fell swoop, HUNDREDS of systems could be compromised by a Trojan Horse 'security fix'. BEWARE OF STREET SOFTWARE! I would like to see the security bug reports continue to appear here, especially when accompanied by a fix I can understand. Then at least I know as much as the crackers, and we light a fire under DEC to provide an official fix. Peter Trei oc.trei@cu20b -------