EC0N@TE.CC.CMU.EDU (Eric R. Crane) (11/13/85)
One solution might be to do something similar to what was done with the Tops-20 mailing list. Create a subset of INFO-VAX which contains only system managers. Then if someone has a security issue they send it to something like INFO-VAX-SECURE. The only way that the problem can be solved is to split the list. No matter how freely we want information to flow the first time that my systems crash because someone decided to play around with something that they saw on the list I will be a bit upset. I think that this goes for most people out there. - Eric Crane -------
TIHOR@NYU-CMCL1.ARPA (Stephen Tihor) (11/13/85)
No matter how we organize the secure INFO-VAX list it will contain people who, in a perfect world, should never be allowed with reach of computer. The Unix wizards security list contains two system crackers that I have had problems with in the last few years. Therefore you must assume that the enemy (self proclaimed) is listening. Certainly if you are going to publish anything on the list that can crash or crack open a system you should have SPR-ed it to DEC and there should be some solid reason to publish it...if its a Security problem I would rather let ignorance be DEC's ally until the next minor release gets out but if you do publish it here please include a workaround. For example I am now going to have to go and set ACL's on a bunch of logical name tables since someone has already done this I would personally prefer if they just included the code to handle the standard tables at the end of their message. I regret that DEC does not provide a service whereby we can get such patches by an at least semi-secure E-Mail channel. \\ Stephen Tihor / CIMS / NYU / 251 Mercer Street / New York, NY 10012 // (( DEC Enet: RHEA::DECWRL::"""TIHOR@NYU-CMCL1.ARPA""" NYUnet: TIHOR.CMCL1 )) // ARPAnet: Tihor@NYU-CMCL1 UUCPnet address: ...!ihnp4!cmcl2!cmcl1!tihor \\ -------
sasaki@HARVARD.HARVARD.EDU (Marty Sasaki) (11/13/85)
Creating a sub-list is going to be a hassle. Someone will be stuck with verifying that a person who sends a request is a bona-fide system manager. I don't read this list from a VMS system, but from a UNIX system, which means that it will be difficult to verify via electronic means that I am a system manager. There is also the problem that many sites (probably most sites) don't read this mailing list. An article published that showed a security hole, even with a fix might never make it to a site. Could the poster of the article be sued if someone penetrated a system and did real harm as a result of an article? Another problem is that there will always be a time lag between when the article is posted and when I finally get around to installing it. Let's suppose that a bunch of interesting security type stuff is discussed at the upcoming DECUS Symposium and an article is posted (with fixes). It happens that I am taking two weeks of vacation after the Symposium. That means that at least two weeks will pass before the news gets out and I get a chance to read it. I remember when I was managing an RSX-11D system. A brand new terminal driver was part of the release (version 6.2 I think). It was posted in the RSX campground that typing the three character sequence control-c, tab, and rubout would crash the system. Before I could get home that evening (the DECUS was held in Boston, about 5 miles from where I worked) someone had crashed the system. Marty Sasaki
TIHOR@NYU-CMCL1.ARPA (Stephen Tihor) (11/13/85)
People may be interested in CDC's method of handling security problems with the NOS operatings systems: The PSR (SPR) is listed in the database as SECURITY RELATED The only other information presdent is the patch-equivalent to fix and a notation to indicate if this is a USER supplied workaround or a CDC-supplied workaround. Their database is rather like DEC's DSIN system except that it is not bundled the same (painfully expensive) way and it offers a reliable file transfer protocol to download patches. \\ Stephen Tihor / CIMS / NYU / 251 Mercer Street / New York, NY 10012 // (( DEC Enet: RHEA::DECWRL::"""TIHOR@NYU-CMCL1.ARPA""" NYUnet: TIHOR.CMCL1 )) // ARPAnet: Tihor@NYU-CMCL1 UUCPnet address: ...!ihnp4!cmcl2!cmcl1!tihor \\ -------
mooremj@EGLIN-VAX.ARPA ("MARTIN J. MOORE") (11/14/85)
If a system cracker were to make use of some of the bugs/holes published in
the newsletter and cause economic damage, the injured party could probably
make a lot of trouble for the originator and/or INFO-VAX. I don't know if
anyone would be liable for damages (I'm no lawyer) but I'll bet a really
angry system manager could get INFO-VAX -- and maybe a bunch of other groups
-- kicked off the Arpanet.
This is purely conjecture. I have no facts to back it up.
marty moore (mooremj@eglin-vax.arpa)
------