[news.sysadmin] the how and why of plugging holes

schwartz@shire.cs.psu.edu (Scott Schwartz) (11/11/88)

In article <27203@tut.cis.ohio-state.edu>, karl@triceratops writes:
>I submit as an example, yet again, the recent discovery of a security
>hole in ftpd. 

>	o The fix was made public via a posting in ...ucb-fixes so
>	  that everyone with a C compiler can upgrade NOW and not
>	  wait for slow-as-molasses vendors to decide that it's
>	  worth getting around to.  And I think it's important to
>	  note that not all vendors are slow-as-molasses, either; I
>	  sent a copy of what I initially received to Pyramid and
>	  had the attention of csg@pyramid FAST - they began a
>	  distribution of their fix within (I think) 2 days.

A C compiler and a unix source licence, you mean.

One thing you bring up is really important, and I hope lots of people
get the point: SOME vendors don't do diddly squat about sending out
patches for this kind of stuff; so all those sites without sources are
dead meat, most of the time.  

Maybe after customers start delivering bug reports via anonymous
ftp... :-)

For systems with sources, the current mechanisms are not bad.  But I
really worry about the rest of them out there.  At the very least, I
hope that all vendors of unix systems monitor ucb-fixes, and the
security mailing list, and just for fun, do something about what they
find there.
-- 
Scott Schwartz		<schwartz@shire.cs.psu.edu>

eric@hdr.UUCP (Eric J. Johnson) (11/13/88)

In article <4113@psuvax1.cs.psu.edu> schwartz@shire.cs.psu.edu (Scott Schwartz) writes:
>For systems with sources, the current mechanisms are not bad.  But I
>really worry about the rest of them out there.  At the very least, I
>hope that all vendors of unix systems monitor ucb-fixes, and the
>security mailing list, and just for fun, do something about what they
 ^^^^^^^^^^^^^^^^^^^^^

Ha!  You assume, of course, that all vendors fit the criterion for being
on the security mailing list.  Unless one of the "Good 'Ol Boys/Girls" in
the Security Cabal happens to work for the vendor, that probably won't
occur.

-- 
Eric J. Johnson,  Amperif Corporation. 
UUCP: eric@hdr.UUCP
I Have Something to Say:  It's Better to Burn Out, Than to Fade Away!
                                                 -The Kurgan

karl@ficc.uu.net (karl lehenbauer #) (11/16/88)

In article <869@hdr.UUCP>, eric@hdr.UUCP (Eric J. Johnson) writes:
> Ha!  You assume, of course, that all vendors fit the criterion for being
> on the security mailing list.  Unless one of the "Good 'Ol Boys/Girls" in
> the Security Cabal happens to work for the vendor, that probably won't
> occur.

Yeah, I got the application for the Andrew Burt-moderated list, which said
basically that PC guys and BBS operators needn't even bother applying, this
when BBSes are probably the most often attacked computers of all.

Also, given the size of the mailing list, the number of sites the mailings
must go through, and the attractiveness of the list for, er, crackers, about
guarantees that the list will fall into the "wrong hands" -- while security
measures keep it out of a lot of the "right hands."
-- 
-- +1 713 274 5184, uunet!ficc!karl
-- Ferranti International Controls, 12808 W. Airport Blvd., Sugar Land, TX 77478