trn@aplcomm.jhuapl.edu (Tony Nardo) (12/17/88)
First, an apology. When I wrote my original question, someone pointed out that the form of my query implied Mr. Ellozy would not report a system security hole, but would exploit it. I did not mean to suggest this, and would like to apologize to Mr. Ellozy for this implication. And now, to summarize the suggestions I received in response to: > [...] if you discovered one of these [security] holes, and realized that > a second worm could very easily be written to exploit it, what would > *you* do? ------------------------------------------------------------------------------- David Goodenough (dg@lakart.UUCP) wrote: I would try to do what Chuq Von Rospach did. He posted a "fix" that allowed me to turn off the feature in sendmail and fingerd that caused the problem. HOWEVER he did this in such a way that it was not immediately deductible from the fix how to use the wormhole. The sendmail patch involved "turning off" the debug option by destroying a string that some parser was looking for. So it has something to do with debugging, but I'm damned if I can find anything more about it. The bottom line is that I say "Well done" to Chuq, and IF I found such a security hole, I'd post a fix. Actually I already did - this related to the secure setuid script problem. I just wrote a program that removed the security problem, and posted the source. It was only about 50 lines, but the idea is there. Admittedly this can't be used to infiltrate someone else's system, but ANYTHING that helps tighten security around UNIX is a good thing. ------------------------------------------------------------------------------- Greg Lockwood (root@acc-sb-unix.arpa) wrote: If a security hole is discovered, it seems the obvious thing to do is to report it to your vendor. In this way, that vendor, who is the only one with a list of its customers, can contact them and disseminate the information. Obviously, you don't want to spread the information about the holes via the net, or other means where non-customers can get to it. This implies that each vendor keeps a record of its customers and can mail to them. Rather than make this a free service, I think most sites would be willing to pay a nominal fee to the vendor for this service, and the vendor, by making such an offer, insulates itself (to some extent) from legal liability inherent in the original leaky software. Just an idea. ------------------------------------------------------------------------------- hadron!jsdy@uunet.uu.net (Joe Yao) wrote: IF TIME PERMITTED, I'd send diffs of the fix out to the world without explaining it - those who are authorized to make the fix will probably be able to see what the problem is, and put it in future releases. Unfortunately, time has not always permitted.