richard@aiai.ed.ac.uk (Richard Tobin) (05/02/91)
In article <26844:May100:59:2591@kramden.acf.nyu.edu> brnstnd@kramden.acf.nyu.edu (Dan Bernstein) writes: >I'd love to hear from anyone who can propose a simpler set of fixes >that can still be proven to work. While it seems likely that Dan's fixes are perfectly good, it wouldn't be surprising if full discussion here led to further improvements (and perhaps the discovery of other bugs). If vendors are (for once) going to incorporate these changes it would be good to subject them to the most rigorous scrutiny. For this reason I believe it would be best for Dan to post full details of the various loopholes. -- Richard -- Richard Tobin, JANET: R.Tobin@uk.ac.ed AI Applications Institute, ARPA: R.Tobin%uk.ac.ed@nsfnet-relay.ac.uk Edinburgh University. UUCP: ...!ukc!ed.ac.uk!R.Tobin
chogan@maths.tcd.ie (Christine Hogan) (05/04/91)
In <4601@skye.ed.ac.uk> richard@aiai.ed.ac.uk (Richard Tobin) writes: >For this reason I believe it would be best for Dan to post full details >of the various loopholes. I disagree. I _don't_ have sources and I _do_ have lots of idle undergrads lapping up this discussion and dying for all the damaging details to be posted. Dan is doing exactly the right thing for my predicament. -- Christine. chogan@maths.tcd.ie ...!mcsun!maths.tcd.ie!chogan chogan%maths.tcd.ie@cunyvm.cuny.edu
bill@franklin.com (bill) (05/05/91)
In article <1991May3.183159.23747@maths.tcd.ie> chogan@maths.tcd.ie (Christine Hogan) writes: : In <4601@skye.ed.ac.uk> richard@aiai.ed.ac.uk (Richard Tobin) writes: : >For this reason I believe it would be best for Dan to post full details : >of the various loopholes. : I disagree. I _don't_ have sources and I _do_ have lots : of idle undergrads lapping up this discussion and dying : for all the damaging details to be posted. Dan is doing : exactly the right thing for my predicament. You are in a fool's paradise. At least one of your undergrads is smart enough to figure out what to do with the hole given the clues already posted and to cover himself after using it. For as long as you remain ignorant of the details, you are prevented from taking preventative action.
jkp@cs.HUT.FI (Jyrki Kuoppala) (05/06/91)
In article <4May91.201446.4564@franklin.com>, bill@franklin (bill) writes: >You are in a fool's paradise. At least one of your undergrads is >smart enough to figure out what to do with the hole given the >clues already posted and to cover himself after using it. For as >long as you remain ignorant of the details, you are prevented from >taking preventative action. In a situation like this, the first question that comes to my mind is 'Is there any reason the udergrad won't show you the program (s)he comes up with?' And what's so horrifying about these undergrads using some common holes anyway ? They're supposed to learn something at the Uni, I think, not supposed to be there to spy for the (insert your favorite intelligence organization) or terrorize everyone else. If your university atmosphere for whatever reason is filled with so much hatred and so little will for cooperation that your users won't tell you about the problems (with the benefit of getting to learn more and discuss the problem with people knowing perhaps more of the problems, to learn more) but instead they cause trouble to other users, your university is in much more serious trouble than some lousy computer security. But then, nowadays when the counterproductive 'rules' and 'regulations' make just about anything or even thinking about it illegal or seriously punishable, perhaps it's understandable that the poor students are not willing to risk lawsuits or other penalties by sharing their information with others. I don't know, I certainly did tell about the holes to the administrators but back then our Uni didn't have all these myriads of written regulations with all kinds of threats. //Jyrki
ras@sgfb.ssd.ray.com (Ralph A. Shaw) (05/06/91)
Regarding the ongoung flap about the proposed posting of various program sources for exposing security flaws in the UNIX tty subsystems, etc. First, I can fully sympathize with the frustration at trying to get vendors to correct problems with their systems, security or otherwise. Even if the patches or replacement executables are made available via the Internet, USENET, or a BBS, it still does not notify a very large group of "system admin's" that treat their system like a calculator, drawing pad, or mechanical modeling device, and ignore the fact that there is a computer in there that others could access, etc. Even if they became aware of this fact, I'm not sure that many of them would have the skills to actually do something productive about security. Furthermore, OEMs that ship older versions of other vendors' systems should make more of an effort to pass security fixes and other releases through, etc. Being an old UNIX site that once relied on source, it's increasingly frustrating to not have the means to fix problems on our own for systems that source is (economically) no longer available for. We rely on the vendors to make timely fixes available, but very rarely does that happen. Dan's posting might just get some of these long-standing problems resolved before some new and improved Internet worm comes along and makes our collective day... On the other hand, I wonder just how far a security whistle-blower could get in posting such a suite of security-hole-sources before vendors put their lawyers on the case. It is easy to imagine that some would consider such a posting the equivalent of a mass-mailed bomb threat, which could be damaging both to unwitting end-user sites as well as the revenues of lawyer-heavy system vendors. I wonder if most of the bugs, flaws and gaping holes could somehow be checked for in an addendum to the COPS package, along with suggested work-arounds for minimizing the damage. That might let the security-aware admin's without the resources and contacts to keep abreast of these issues be somewhat aided, rather than making them hope for early retirement in 10/92. -- Ralph Shaw ras@sgfb.ssd.ray.com Raytheon Company, Submarine Signal Division, Portsmouth, RI