ras@sgfb.ssd.ray.com (Ralph A. Shaw) (05/06/91)
Regarding the ongoung flap about the proposed posting of various program sources for exposing security flaws in the UNIX tty subsystems, etc. First, I can fully sympathize with the frustration at trying to get vendors to correct problems with their systems, security or otherwise. Even if the patches or replacement executables are made available via the Internet, USENET, or a BBS, it still does not notify a very large group of "system admin's" that treat their system like a calculator, drawing pad, or mechanical modeling device, and ignore the fact that there is a computer in there that others could access, etc. Even if they became aware of this fact, I'm not sure that many of them would have the skills to actually do something productive about security. Furthermore, OEMs that ship older versions of other vendors' systems should make more of an effort to pass security fixes and other releases through, etc. Being an old UNIX site that once relied on source, it's increasingly frustrating to not have the means to fix problems on our own for systems that source is (economically) no longer available for. We rely on the vendors to make timely fixes available, but very rarely does that happen. Dan's posting might just get some of these long-standing problems resolved before some new and improved Internet worm comes along and makes our collective day... On the other hand, I wonder just how far a security whistle-blower could get in posting such a suite of security-hole-sources before vendors put their lawyers on the case. It is easy to imagine that some would consider such a posting the equivalent of a mass-mailed bomb threat, which could be damaging both to unwitting end-user sites as well as the revenues of lawyer-heavy system vendors. I wonder if most of the bugs, flaws and gaping holes could somehow be checked for in an addendum to the COPS package, along with suggested work-arounds for minimizing the damage. That might let the security-aware admin's without the resources and contacts to keep abreast of these issues be somewhat aided, rather than making them hope for early retirement in 10/92. -- Ralph Shaw ras@sgfb.ssd.ray.com Raytheon Company, Submarine Signal Division, Portsmouth, RI