rick@seismo.CSS.GOV (Rick Adams) (12/31/88)
Whats an unmodifed uucp? Do you meant everyone has to run the original 7th Edition uucp? Everything since then has been modified. Mail me uunet's L.sys file and impress me. It's harder than you think. ---rick
sl@van-bc.UUCP (pri=-10 Stuart Lynne) (12/31/88)
In article <44470@beno.seismo.CSS.GOV> rick@seismo.CSS.GOV (Rick Adams) writes: >Mail me uunet's L.sys file and impress me. It's harder than you think. Hm, I thought uunet was running HDB. Most HDB sites don't have an L.sys file! That would make it *very* easy :-) mail -s "L.sys file" rick@seismo.CSS.GOV < /dev/null -- Stuart.Lynne@wimsey.bc.ca {ubc-cs,uunet}!van-bc!sl Vancouver,BC,604-937-7532
honey@mailrus.cc.umich.edu (peter honeyman) (01/01/89)
whoever told you that honey danber has more bugs than v7 uucp is misinformed. if you know of any bugs in honey danber, i'd appreciate it if you'd send me mail with details. thanks. peter
rick@seismo.CSS.GOV (Rick Adams) (01/01/89)
Please spare me your whining. UUNET does not run HDB. It runs one of those bug ridden V7 derivatives. In fact that probably makes it HARDER for you because all those clever tricks you have saved up probably won't work here. As for shio(), I presume you want to do something tricky with what you expect to be a popen(). Sorry, I fixed that about 3 years ago. It's real hard to fake out the execv() of /bin/rmail. Oh, you're going to fake out the rmail? Sorry, rmail does a direct execv() of sendmail. Oh, you're going to spoof sendmail? Sorry, rmail checks the arguments it passes to sendmail... (Do we see a trend forming?) You see, it's not a black and white, HDB or "shit" world we're living in. It's even worse. Honeyman and I and others are conspiring. We're pretty damned devious ourselves. We've fixed the easy things years ago. We've even fixed the hard ones. There are probably other bugs out there (only a fool would deny it), but like I said, it's no where near as easy as you think it is. Also, don't confuse the version of HDB that ATT ships with what Honeyman is running. Those HDB bugs you found he probably fixed years ago. AND, even worse, he told ME about them, so I fixed them in my version. (The fact that ATT doesn't seem to want his fixes is ATT's problem [and ATT's customers...]) Oh yeah, one more thing: Why are you assuming that uuxqt is running as the same uid as uucico? Hmmm???? It doesn't need to. And if it isn't running as the same uid as uucico, then it doesn't have read permission on L.sys does it? Gee. It's getting harder all the time... The reason I'm making a point about all this is that I don't want to lose any uunet customers because they don't want to connect to the "insecure" system that you are describing. I had a hell of a time convincing sites that the Internet virus wasn't going to propagate to their sites via uucp. I don't want them to start worrying all over again. ---rick
chk@zorac.dciem.dnd.ca (01/04/89)
In article <44471@beno.seismo.CSS.GOV> rick@seismo.CSS.GOV (Rick Adams) writes: >You see, it's not a black and white, HDB or "shit" world we're living >in. It's even worse. Honeyman and I and others are conspiring. We're >pretty damned devious ourselves. We've fixed the easy things years ago. >We've even fixed the hard ones. > >Also, don't confuse the version of HDB that ATT ships with what >Honeyman is running. Those HDB bugs you found he probably fixed years >ago. AND, even worse, he told ME about them, so I fixed them in my >version. (The fact that ATT doesn't seem to want his fixes is ATT's >problem [and ATT's customers...]) > So, how do we poor slobs get versions of the software *without* bugs? In particular, those of us without source licenses and without common systems (i.e. no binaries, thank you). It's all very well to say that uunet is secure, but what about all of uunet's neighbors? btw, as an aside, I claim it is impossible to break into my UUCP system; it doesn't run login, and only allows two hardwired commands (rmail and cunbatch...). The local mailer is equivalent to cat(1). The joys of being a backwater system...
honey@mailrus.cc.umich.edu (peter honeyman) (01/04/89)
chk@zorac.dciem.dnd.ca asks:
>So, how do we poor slobs get versions of the software *without* bugs?
you BUY it.
petersl@van-bc.UUCP (pri=-10 Stuart Lynne) (01/05/89)
In article <856@mailrus.cc.umich.edu> honey@citi.umich.edu (Peter Honeyman) writes: >chk@zorac.dciem.dnd.ca asks: >>So, how do we poor slobs get versions of the software *without* bugs? > >you BUY it. > This is not a flame, but out of interest, where can I buy a copy of HDB? Don't need source, just a binary, with all of the latest fixes, either your's or Ricks would do. It would also be nice if it wasn't priced more than the system I'm going to run it on (which is why we don't use ksh from the toolchest). Seems to me that there's a business opportunity here for someone. Get a valid license to distribute HDB, get fixes from Peter and Rick and distribute for Sun OS, SCO Xenix, System V/386, etc. If the vendors don't want to keep uptodate and there is a need to keep these systems secure then there is definitely an opportunity to make a buck. (Actually some vendors are quite interested, they just can't afford to mobilize quickly to fix security problems in a short time frame.) Of course it would be too much to ask that AT&T offer the source to someone like UUNET so that it could be done on a non-profit basis (or could the BSD version be separated out and made non AT&T Rick?). Would be a nice gesture though. UUNET could sell and support it and then perhaps Usenet UUCP links would be a little safer. Makes a nice counterpart to the services that they are already offerring. They are already (apparently) doing quite a lot of work to keep their copy of UUCP very secure. It wouldn't be too hard to get it ported to various other machines at very low cost (I'm sure there's quite a few people who would offer their consulting time at a nominal rate to port it to their system for UUNET). Distribution is easy, just do it via uucp. They already have a billing sytem. And then we wouldn't have to waste our time complaining at each other because we think that we've found bug's that will let bad people break in and now we're worried because we can't fix them because we can't afford to buy the source, and our vendor couldn't care less, and if he does he might get around to fixing it in six months, and it will be in the next release after that, which will be after he QA's it, and gets the manuals ready, say another six months..... -- Stuart.Lynne@wimsey.bc.ca {ubc-cs,uunet}!van-bc!sl Vancouver,BC,604-937-7532
bill@ssbn.WLK.COM (Bill Kennedy) (01/05/89)
In article <856@mailrus.cc.umich.edu> honey@citi.umich.edu (Peter Honeyman) writes: >chk@zorac.dciem.dnd.ca asks: >>So, how do we poor slobs get versions of the software *without* bugs? > >you BUY it. > > peter Apologies if I'm the only one with this question, I would have emailed but I felt reasonably sure that I'm not alone. I was under the impression that HDB was only available from licensed AT&T vendors and AT&T. Does Rick Adams' and Peter's remarks mean that there is a bug-fixed version available from some other source? If so, I'd sure like to hear about it. I would have no objection to buying a version that had some holes stopped up and I would hope that it would also have some of the extensions that have been added after the original release (e.g. alternate Systems/Dialers, \M and \m capability in dial scripts, etc.). How would one go about finding out whether the HDB they were buying indeed had all of the fixes that Peter and Rick have identified/fixed? -- Bill Kennedy usenet {killer,att,cs.utexas.edu,sun!daver}!ssbn!bill internet bill@ssbn.WLK.COM
jbayer@ispi.UUCP (Jonathan Bayer) (01/05/89)
In article <856@mailrus.cc.umich.edu> honey@citi.umich.edu (Peter Honeyman) writes: >chk@zorac.dciem.dnd.ca asks: >>So, how do we poor slobs get versions of the software *without* bugs? > >you BUY it. > > peter I did buy it. However, the vendor still has the bugs in it. Why should I have to buy it two times? JB -- Jonathan Bayer "The time has come," the Walrus said... Intelligent Software Products, Inc. 19 Virginia Ave. ...uunet!ispi!jbayer Rockville Centre, NY 11570 (516) 766-2867 jbayer@ispi
eric@egsner.UUCP (Eric Schnoebelen) (01/06/89)
In article <856@mailrus.cc.umich.edu> honey@citi.umich.edu (Peter Honeyman) writes:
-chk@zorac.dciem.dnd.ca asks:
->So, how do we poor slobs get versions of the software *without* bugs?
-
-you BUY it.
-
- peter
Where!?!
--
Eric Schnoebelen
egsner!eric@texbell.uucp ...!texbell!egsner!eric
egs@u-word.dallas.tx.us ...!killer!u-word!egs
"We Apologize for the Inconvenience"bdb@becker.UUCP (Bruce Becker) (01/06/89)
In article <856@mailrus.cc.umich.edu> honey@citi.umich.edu (Peter Honeyman) writes: >chk@zorac.dciem.dnd.ca asks: >>So, how do we poor slobs get versions of the software *without* bugs? > >you BUY it. Yeah? From who? > peter Grunt, -- _ _/\ Bruce Becker Toronto, Ont. \`o O| Internet: bdb@becker.UUCP, bruce@gpu.utcs.toronto.edu \(")/ BitNet: BECKER@HUMBER.BITNET ---mm-U-mm--- "The OSF is suffering from Penix envy" - Rocky Raccoon
john@frog.UUCP (John Woods) (01/10/89)
In article <856@mailrus.cc.umich.edu>, honey@mailrus.cc.umich.edu (peter honeyman) writes: >chk@zorac.dciem.dnd.ca asks: >>So, how do we poor slobs get versions of the software *without* bugs? >you BUY it. Ha. You BUY another release of software with BRAND NEW bugs and a warranty that claims that, at best, you have purchased another bag of rust-covered plastic which might or might not have varying domains of magnetization, returnable in 90 days if and only if the plastic isn't black. The attitude of "You wanted it to WORK? That costs EXTRA!" is probably the second-place security hole after simple carelessness. -- John Woods, Charles River Data Systems, Framingham MA, (508) 626-1101 ...!decvax!frog!john, john@frog.UUCP, ...!mit-eddie!jfw, jfw@eddie.mit.edu Go be a `traves wasswort. - Doug Gwyn