jbn@glacier.STANFORD.EDU (John B. Nagle) (11/15/88)
I suggest that the security mailing list be posted to a newsgroup,
but with a 60-day delay. Sites and vendors serious about security will either
have fixed any problem by that time, or they probably aren't going to fix it
at all. This insures that a false sense of security is not engendered among
system administrators, yet allows a reasonable time for closing newly discovered
problems.
General knowledge of that 60-day timer will tend to accelerate efforts
by vendors to fix problems, I would suspect.
Why 60 days? A monthly update service would be enough to keep systems
operating with the latest security fixes. 30 days would require biweekly
updates to stay current, which is a bit frequent. Much longer than 60 days,
and the pressure would be off on fixing holes.
John Nagledhesi@bsu-cs.UUCP (Rahul Dhesi) (11/15/88)
In article <17841@glacier.STANFORD.EDU> jbn@glacier.UUCP (John B. Nagle) writes: >I suggest that the security mailing list be posted to a newsgroup, >but with a 60-day delay. This is a good idea. In the case of the oft-quoted ftpd bug, the above procedure was roughly followed, and it worked. -- Rahul Dhesi UUCP: <backbones>!{iuvax,pur-ee}!bsu-cs!dhesi
moran@tron.UUCP (Harvey R Moran) (11/16/88)
In article <4752@bsu-cs.UUCP> dhesi@bsu-cs.UUCP (Rahul Dhesi) writes: >In article <17841@glacier.STANFORD.EDU> jbn@glacier.UUCP (John B. Nagle) writes: >>I suggest that the security mailing list be posted to a newsgroup, >>but with a 60-day delay. > >This is a good idea. In the case of the oft-quoted ftpd bug, the above >procedure was roughly followed, and it worked. >-- >Rahul Dhesi UUCP: <backbones>!{iuvax,pur-ee}!bsu-cs!dhesi I wonder how many more people out there believe that sites without access to the security mailing list (or possibly even USENET) should have their risks increased pretty significantly? How about us binary liscense sites? If you consider the UNIX community to include both binary liscense sites and sites with no access to USENET, the *most* such a newsgroup would accomplish is to make a larger group of privileged characters -- i.e. anyone with access to USENET. It would *not* get the information to all concerned SA's. Please don't take the 60 day suggestion. I wouldn't want to be forced to abandon UNIX and use VMS. Please note that I do not claim VMS is any more inherently secure than UNIX, just that DEC doesn't publish break-in methods around the world. It wouldn't take many successful break-in's to convince my management to abandon UNIX, or at least UNIX with *any* communication with the outside world. Harvey Moran moran@tron.UUCP@umbc3.UMD.EDU {wb3ffv,netsys}!hrmhpc!harvey