brant@manta.UUCP (Brant Cheikes) (10/01/87)
I am rather surprised to discover that so many people want security flaws publicized on the net. Clearly, what seemed obvious to me (and prompted my now roundly criticized article on the subject) is obvious only to me. The premise of my argument is that there are more people who would be tempted to exploit a hole once pointed out by, e.g., an article in comp.sys.att than there are people who could actually find such holes or recognize them as such if they stumbled across them. If you accept this premise, then you see that as soon as a security hole is advertised, the pool of potential exploiters (which we would like to keep as small as possible) increases dramatically. Once a security bug is publicly revealed, systems are left vulnerable to this large pool of exploiters until the hole is plugged (which isn't always easy, and doesn't always happen quickly). I should also point out that not all Unix PC systems are on Usenet. Posting security holes leaves those systems especially vulnerable, since the sysadmins aren't even privy to the discussions. It was this reasoning that led me to conclude that articles explicitly discussing security violations were a bad idea. What's sauce for the sysadmin is sauce for the hacker. A few active sysadmins benefit at the potential expense of too many others. At the very least, people should recognize that a cavalier attitude toward system security discussions is inappropriate in this forum. The best solution, to my mind, would involve pressuring AT&T to take an active position on Unix PC security and letting them serve as the clearinghouse for security-related bug reports and fixes. So despite what appears to be total lack of support for my position, I remain convinced that posting one's latest "Look Ma, I'm root!" is far more likely to do harm than good. Nevertheless, Lenny Tropiano certainly has my apologies for the inappropriately harsh tone I used toward him in my earlier posting. -- Brant Cheikes University of Pennsylvania Department of Computer and Information Science ARPA: brant@linc.cis.upenn.edu UUCP: ...cbmvax!cgh!manta!brant
lm@eta.ETA.COM (Larry McVoy) (10/06/87)
In article <150@manta.UUCP> brant@manta.UUCP (Brant Cheikes) writes: >So despite what appears to be total lack of support for my position, I >remain convinced that posting one's latest "Look Ma, I'm root!" is far >more likely to do harm than good. Nevertheless, Lenny Tropiano >certainly has my apologies for the inappropriately harsh tone I used >toward him in my earlier posting. >-- >Brant Cheikes >University of Pennsylvania >Department of Computer and Information Science >ARPA: brant@linc.cis.upenn.edu UUCP: ...cbmvax!cgh!manta!brant I suggest that you read the following (classic) paper on Unix Security before you decide to broadcast your views on the subject to the net. F.T. Grampp & R.H. Morris, "Unix Operating System Security", AT&T Bell Technical Journal 63, pp. 1649-1672, October 1984. It's a very standard OS paper to have read. Had you read it, Brant, you would have discovered that many "obvious" conclusions about security are in fact wrong. "Look Ma, I'm root!" is fine. It points out holes. People who care will fix the holes. Ignoring them or hushing them up does not fix holes. It creates time bombs. -- Larry McVoy uucp: ...!{uiucuxc, rosevax, meccts, ihnp4!laidbak}!eta!lmcvoy arpa: eta!lmcvoy@uxc.cso.uiuc.edu