src@scuzzy.in-berlin.de (Heiko Blume) (05/09/91)
er, do you expect us porting this to system V, given all those (CENSORED) long filenames? that wouldn't be brave, but (CENSORED) tedious. -- Heiko Blume <-+-> src@scuzzy.in-berlin.de <-+-> (+49 30) 691 88 93 [voice!] public UNIX source archive [HST V.42bis]: scuzzy Any ACU,f 38400 6919520 gin:--gin: nuucp sword: nuucp uucp scuzzy!/src/README /your/home
brnstnd@kramden.acf.nyu.edu (Dan Bernstein) (05/10/91)
In article <1991May09.012116.5816@scuzzy.in-berlin.de> src@scuzzy.in-berlin.de (Heiko Blume) writes: > er, do you expect us porting this to system V, given all > those (CENSORED) long filenames? that wouldn't be brave, but > (CENSORED) tedious. Actually, there are only six files whose names have to be shortened for 14-character filesystems: getdevicename.{c,h}, printprotoinet.{c,h}, and printsocktype.{c,h}. This is hardly a burden. You should also realize that kstuff contains more than thirty independent libraries. Someone porting the important parts---nlistlist, kmem, getuser, etc.---to System V can simply ignore the other libraries, and the filename length problem won't even show up. Apparently you'd rather bitch than contribute. Too bad. ---Dan
src@scuzzy.in-berlin.de (Heiko Blume) (05/12/91)
brnstnd@kramden.acf.nyu.edu (Dan Bernstein) writes: >In article <1991May09.012116.5816@scuzzy.in-berlin.de> src@scuzzy.in-berlin.de (Heiko Blume) writes: [bitching] >Apparently you'd rather bitch than contribute. Too bad. oh well, i was in bitch-mode, mea culpa! -- Heiko Blume <-+-> src@scuzzy.in-berlin.de <-+-> (+49 30) 691 88 93 [voice!] public UNIX source archive [HST V.42bis]: scuzzy Any ACU,f 38400 6919520 gin:--gin: nuucp sword: nuucp uucp scuzzy!/src/README /your/home
bill@franklin.com (bill) (05/13/91)
In article <1991May11.200747.17465@scuzzy.in-berlin.de> src@scuzzy.in-berlin.de (Heiko Blume) writes: : brnstnd@kramden.acf.nyu.edu (Dan Bernstein) writes: : : >In article <1991May09.012116.5816@scuzzy.in-berlin.de> : src@scuzzy.in-berlin.de (Heiko Blume) writes: : [bitching] [Actually, a legitimate complaint, in that Bernstein didn't bother with a trivial detail in his postings on alt.sources that would have made life easier for many people.] : >Apparently you'd rather bitch than contribute. Too bad. : : oh well, i was in bitch-mode, mea culpa! Not at all. Bernstein erred in not using shorter file names but Bernstein is one of those people who often answers perfectly valid criticisms by slashing at those who criticize rather than by fixing his errors. He's acquired a knack of making abusive comments that, I suppose, give him a warm fuzzy feeling while making those he's attacked feel in the wrong, but that knack doesn't make his mistakes right. He's seems to have this fixation on just how "right" he is. Actually, most of the time, he's either just plain wrong or has chosen a position no more defensible than his opponents'. It seems Bernstein thinks that his being right gives him some right to be gratuitously abusive. Even if being right were sufficient justification for gratuitous abusiveness, Bernstein is hardly so worthy that he should be granted that right. In case Bernstein wants to respond to me: don't bother. I've added you to my global kill file and I'll trash any further e-mail from you unread. Your last message to me, which you may consider this a response to, makes it perfectly clear just what kind of person you are and I have no intention of wasting my time further with you. What little of value you might be able contribute is utterly swamped by the filth you embed it in. Anyone else who wants to comment: feel free, but please keep it in e-mail. Followups have been directed to alt.flame, to which most of Bernstein's postings ought also to be posted.
brnstnd@kramden.acf.nyu.edu (Dan Bernstein) (05/13/91)
In article <13May91.095814.8736@franklin.com> bill@franklin.com (bill) writes: > In article <1991May11.200747.17465@scuzzy.in-berlin.de> > src@scuzzy.in-berlin.de (Heiko Blume) writes: > : brnstnd@kramden.acf.nyu.edu (Dan Bernstein) writes: > : >In article <1991May09.012116.5816@scuzzy.in-berlin.de> > : src@scuzzy.in-berlin.de (Heiko Blume) writes: > [Actually, a legitimate complaint, in that Bernstein > didn't bother with a trivial detail in his postings on > alt.sources that would have made life easier for many > people.] [ ... ] > Bernstein erred in not using shorter file names Perhaps, but the package only runs on BSD systems, as the top of the first posting states quite clearly. So I don't think ``would have made life easier for many people'' is right. Only someone who ports the package to System V will ever care about the filename length, and a kernel-reading package has a hell of a lot more system-dependent stuff than six filenames longer than 14 characters. [ various insults ] > In case Bernstein wants to respond to me: don't bother. I've > added you to my global kill file and I'll trash any further e-mail > from you unread. Your last message to me, which you may consider > this a response to, makes it perfectly clear just what kind of > person you are and I have no intention of wasting my time further > with you. Okay, T. William Wells, I'm not responding to you. I'm just clearing this up for comp.unix.wizards readers, since you dragged this thread into comp.unix.wizards for no reason having anything to do with its technical content. To the net, then: What Bill is referring to is a message I sent him last week. He posted something about how without full details of the tty security holes there's no way people can fix the problem. Now I've been reacting rather strongly to such statements---I *have* posted a complete fix, and as my last message should make clear, people do not need break code to understand why the fixes work. If there weren't a published fix then people would have a perfect right to complain. But this time there *is*, and I think people should take a step back and review what's actually happened here before they shout further religious stupidities. In Bill's case I wasn't even sure he'd seen what I'd posted---it sounded as if he was just jumping into the middle of the thread, with no idea of what was going on other than that somebody had said there was a security hole. So I asked him politely whether he had seen my changes; enclosed is a copy of that message. Bill's reply: ``Why, no. Your writings are so offensive that I can't stomach more than a paragraph of your noise.'' and so on. So I was right. Bill *hadn't* read the previous articles in the thread, and he *didn't* know what was going on. (He probably still doesn't.) He was simply foaming at the mouth. Is it wrong for me to be annoyed at such behavior? Is it too much to ask that people read articles before they follow up, or that they see what my security policy is before criticizing that policy? I sent Bill a final message along the lines of ``Too bad you're keeping your eyes shut,'' and he thinks that justifies further public insults, not to mention dragging an alt.sources.d thread into comp.unix.wizards just so he could blare those insults more loudly. What ever happened to netiquette? I've posted some nasty stuff about people's opinions, but taking an irrelevant (and already finished) thread and dragging it into a separate high-volume group just to scream ridiculous character insults goes way beyond all bounds of decency. T. William Wells, grow up. ---Dan Return-Path: brnstnd@KRAMDEN.ACF.NYU.EDU Received: from NYU.EDU by KRAMDEN.ACF.NYU.EDU (5.61/1.34) id AA27160; Wed, 8 May 91 06:12:06 GMT Received: from KRAMDEN.ACF.NYU.EDU by cmcl2.NYU.EDU (5.61/1.34) id AA15950; Wed, 8 May 91 02:12:03 -0400 Received: by KRAMDEN.ACF.NYU.EDU (5.61/1.34) id AA18009; Sun, 5 May 91 22:49:13 GMT Date: Sun, 5 May 91 22:49:13 GMT From: brnstnd@KRAMDEN.ACF.NYU.EDU (Dan Bernstein) Message-Id: <9105052249.AA18009@KRAMDEN.ACF.NYU.EDU> To: bill@franklin.com, brnstnd@nyu.edu Subject: Re: Should Dan post full details of his tty bugs? Newsgroups: comp.unix.wizards,alt.security In-Reply-To: <4May91.201446.4564@franklin.com> References: <26844:May100:59:2591@kramden.acf.nyu.edu> <4601@skye.ed.ac.uk> <1991May3.183159.23747@maths.tcd.ie> Organization: IR In article <4May91.201446.4564@franklin.com> you write: > For as > long as you remain ignorant of the details, you are prevented from > taking preventative action. Have you noticed that I've posted a complete fix? ---Dan
kyle@UUNET.UU.NET (05/14/91)
Dan Bernstein writes: > To the net, then: What Bill is referring to is a message I sent him last > week. He posted something about how without full details of the tty > security holes there's no way people can fix the problem. Now I've been > reacting rather strongly to such statements---I *have* posted a complete > fix, and as my last message should make clear, people do not need break > code to understand why the fixes work. If there weren't a published fix > then people would have a perfect right to complain. But this time there > *is*, and I think people should take a step back and review what's > actually happened here before they shout further religious stupidities. You did indeed post a fix. But without the details, it's very hard for admins to come up with alternate solutions that don't impact their base of users and programs as much. It's hard to close a hole if you don't know what it is. Your proposed fixes might be complete and correct, but still not be the best for a particular installation. Don't take this as another flame, it's not. I'm just pointing out that reality often demands more than one solution to a problem.
src@scuzzy.in-berlin.de (Heiko Blume) (05/14/91)
brnstnd@kramden.acf.nyu.edu (Dan Bernstein) writes: >In article <13May91.095814.8736@franklin.com> bill@franklin.com (bill) writes: >> Bernstein erred in not using shorter file names >Only someone who ports the >package to System V will ever care about the filename length which is wrong. don't forget archive sites (like me). one just can't unshar your stuff on sys v machines properly, and there is no point in archiving shar files - you don't know if they're broken or something. and since there are only a few filenames longer than 14 characters (as you said), why the hell didn't YOU shorten them? instead you tell us to do it - that's just a waste of time. -- Heiko Blume <-+-> src@scuzzy.in-berlin.de <-+-> (+49 30) 691 88 93 [voice!] public UNIX source archive [HST V.42bis]: scuzzy Any ACU,f 38400 6919520 gin:--gin: nuucp sword: nuucp uucp scuzzy!/src/README /your/home
jfh@rpp386.cactus.org (John F Haugh II) (05/14/91)
In article <9105131716.AA17481@rodan.UU.NET>, kyle@UUNET.UU.NET writes: > You did indeed post a fix. But without the details, it's very > hard for admins to come up with alternate solutions that don't > impact their base of users and programs as much. It's hard to > close a hole if you don't know what it is. Your proposed fixes > might be complete and correct, but still not be the best for a > particular installation. > > Don't take this as another flame, it's not. I'm just pointing > out that reality often demands more than one solution to a > problem. One problem is that the changes that are needed really have to be made by the vendors because the changes aren't the same for every UNIX platform. So he can't post a detailed fix. On the other hand, posting the code that breaks into the system will make it too easy on the programmers that haven't figured it out yet and the vendors deserve a chance to get their butts in gear. My prediction is that Dan will post his code, a lot of system will be broken into, and then Dan will be arrested and hauled off to jail. All because the vendors don't want to be bothered. Since this has sounded like a defense of Dan, I suppose I need to attack him just to even things out ;-) I've sent Dan a request for his breakin suite (or whatever) and he hasn't provided it yet. I don't know if this is an oversight, or if he doesn't believe that I actually work on AIX. -- John F. Haugh II | Distribution to | UUCP: ...!cs.utexas.edu!rpp386!jfh Ma Bell: (512) 255-8251 | GEnie PROHIBITED :-) | Domain: jfh@rpp386.cactus.org "If liberals interpreted the 2nd Amendment the same way they interpret the rest of the Constitution, gun ownership would be mandatory."
brnstnd@kramden.acf.nyu.edu (Dan Bernstein) (05/14/91)
In article <9105131716.AA17481@rodan.UU.NET> kyle@UUNET.UU.NET writes: > You did indeed post a fix. But without the details, it's very > hard for admins to come up with alternate solutions that don't > impact their base of users and programs as much. Fair enough. However, I'm not going to send break code to ten thousand people on the off chance that one or two of them can come up with a better solution. > It's hard to > close a hole if you don't know what it is. I've said what the holes are. I'm just not showing people how to exploit them in practice---yet. ---Dan
brnstnd@kramden.acf.nyu.edu (Dan Bernstein) (05/15/91)
In article <1991May14.101354.28935@scuzzy.in-berlin.de> src@scuzzy.in-berlin.de (Heiko Blume) writes: > which is wrong. don't forget archive sites (like me). one just can't > unshar your stuff on sys v machines properly, and there is no point > in archiving shar files - you don't know if they're broken or something. It's not my fault if you can't successfully archive a perfectly valid posting. (This does give me sufficient reason to shorten any long filenames in future postings, though.) > and since there are only a few filenames longer than 14 characters > (as you said), why the hell didn't YOU shorten them? Because I didn't even consider the problem of a System V port until right before posting the package. Again, we're talking about a kernel-reading package; there's a hell of a lot more work that has to be done for a System V port than just changing a few filenames. If and when someone shows some serious interest in a port, I'll do what I can to make it easier, but I'm not going to waste the effort before that. > instead you tell > us to do it - that's just a waste of time. I expect that anyone who wants to port part of the package to System V will get in touch with me first, so I'll end up doing the work anyway. ---Dan
brnstnd@kramden.acf.nyu.edu (Dan Bernstein) (05/16/91)
In article <19274@rpp386.cactus.org> jfh@rpp386.cactus.org (John F Haugh II) writes: > One problem is that the changes that are needed really have to > be made by the vendors because the changes aren't the same for > every UNIX platform. So he can't post a detailed fix. Fortunately (?), the holes were all inherited from the same place, so the fixes are essentially the same on each platform. In fact, I haven't heard of a (BSD-derived) system where my fixes don't work as is. What would really simplify the fixes is to eliminate all kernel changes. I have a (theoretically unreliable but in practice race-free) user-mode opencount() for various systems, including SunOS, Ultrix, straight BSD, DYNIX, et al., so on those systems it isn't necessary to implement TIOCOPENCT inside the kernel, at least not at first. It turns out that TIOCNOTTY already works on /dev/ttyxx on quite a few systems. That leaves just one kernel change for those systems, namely implementing /dev/stdtty. If someone can figure out a solution to /dev/tty that doesn't involve kernel changes, it'll suddenly be possible to distribute working patches even to sites without source. > My prediction is that Dan will post his code, a lot > of system will be broken into, and then Dan will be arrested > and hauled off to jail. All because the vendors don't want to > be bothered. Thank you for that pleasant thought. > I've sent Dan a request > for his breakin suite (or whatever) and he hasn't provided it > yet. Slow down, willya? I think it's more important to get the information to vendors like Sun that still have the problem than to vendors like IBM that (at least claim to) have fixed it. ---Dan