[comp.os.vms] Well, now that it's out of the bag...

AWalker@RED.RUTGERS.EDU.UUCP (06/09/87)

First:  Deepest thanks to those brave souls who hauled off and posted the
patch.  I am willing to bet a *lot* of the readership will take and use it
if they haven't received/never will receive it from DEC, and be done with it.

Second:  In my opinion, which you may choose to ignore or not, having a
*system service* to muck with the UAF is stupid.  I can only see two reasons
for having it:  1> So that you can have "group managers" who can bash their
underlings' accounts, and/or 2> so you can "always" have UAF modifications
be accompanied with a security alarm if appropriate.  This latter one can
still be worked around by a user with the appropriate privileges just opening,
$getting, and $updating records in the file -- relying on this system service
to catch *all* UAF modifications by people with sysprv or bypass is *cretinous*
because you can get around it any number of ways.  

Third: After having a *lot* of fun taking said patch and romping through the
fische with a very limited knowledge of Bliss, I do indeed have a fairly clear
idea of what's going on although my theory may still be incorrect.  However,
the actual fix is still just a "bigger hammer" that completely disables a
bunch of code -- if this code was ever intended as a feature, you'll never be
able to use that now.

Fourth:  What I said about the high school kids was probably incorrect.  This
one is far too subtle for a "beginner" to deal with, unless I'm way out in
left field here.  [I don't know yet because I haven't actually gotten it
to "work" for me yet.]

Fifth:  Given the above, I think it would be quite safe for the people 
concerned and interested to discuss it openly via info-vax, drawing the line
at things like posting actual working *programs* that make use of it.  From
what I can tell a lot of crackers are the "type make and walk away" sort of
people who are more willing to do something quick, known, and destructive
rather than learn something fairly elegant about the internals of a given OS.
In effect, I'm saying that the folks who understand why a bug like this one
works are more likely to already be managing a machine somewhere, not cruising
around looking for things to break in to.

Paranoia is fine, as long as it derives from a realistic threat.  Perhaps
we should splinter off a vms-security list, similar to the unix security
one whereon things like this are discussed openly and fixes freely distributed.

_H*
-------