root@VLSI-MENTOR.JPL.NASA.GOV (The vlsi-mentor Super User) (07/21/90)
> I may be wrong, but since we're not discussing this hole here, we'll never > find out, will we? > Well, perhaps Jim Richardson and anyone else who DOES know what the problem > is, and HAS applied the patch, could tell us that information without > revealing the hole to the rest of the world. >This is a very serious problem. It defies rational thought to believe that >it exists in the first place, and that this type of "patch" supposedly fixes >it in the second place. >Security by obscurity is DANGEROUS!!!! Worse...it's maddening. I am a MENTOR customer, and I cannot even find out about: >SR10.2 has a MASSIVE security hole. In fact, that description doesn't >do justice to the scale of it. Anyone running 10.2 should 'phone >their friendly local HP response centre and ask for advice concerning >the security problem addressed by APR Nr. 455ECD30. Would someone PLEASE send me mail regarding this problem?? Posting it would be even better. >That's all I'm prepared to say on the matter - and I fear that this >might possibly be too much, but I think that this problem is too >serious to rely on the old security by obscurity rubbish. I'm sorry, but this causes more damage than just posting the problem. It creates the scenario where sys admins do not know of the hole but hostle system crackers do. This situation really hits close to home here. PLEASE post the problem. In my opinion, secure systems through lack of information aren't secure at all. I can't stress this enough. ---- Dave Hayes dave@vlsi-mentor.jpl.nasa.gov dave%vlsi-mentor@jpl-mil.jpl.nasa.gov "The word 'choice' is a fraud when one is taught what to choose."