Should Dan post full details of his tty bugs?

Ralph A. Shaw ras at sgfb.ssd.ray.com
Tue May 7 02:57:05 AEST 1991


Regarding the ongoung flap about the proposed posting of various program
sources for exposing security flaws in the UNIX tty subsystems, etc.

First, I can fully sympathize with the frustration at trying to get 
vendors to correct problems with their systems, security or otherwise.

Even if the patches or replacement executables are made available via the
Internet, USENET, or a BBS, it still does not notify a very large group of
"system admin's" that treat their system like a calculator, drawing pad, or
mechanical modeling device, and ignore the fact that there is a computer in
there that others could access, etc.  Even if they became aware of this fact,
I'm not sure that many of them would have the skills to actually do something
productive about security.  Furthermore, OEMs that ship older versions of
other vendors' systems should make more of an effort to pass security fixes
and other releases through, etc.

Being an old UNIX site that once relied on source, it's increasingly
frustrating to not have the means to fix problems on our own for systems that
source is (economically) no longer available for.  We rely on the vendors to
make timely fixes available, but very rarely does that happen.  Dan's posting
might just get some of these long-standing problems resolved before some new
and improved Internet worm comes along and makes our collective day...

On the other hand, I wonder just how far a security whistle-blower could get
in posting such a suite of security-hole-sources before vendors put their
lawyers on the case.  It is easy to imagine that some would consider such a
posting the equivalent of a mass-mailed bomb threat, which could be damaging
both to unwitting end-user sites as well as the revenues of lawyer-heavy
system vendors.

I wonder if most of the bugs, flaws and gaping holes could somehow be checked
for in an addendum to the COPS package, along with suggested work-arounds
for minimizing the damage.  That might let the security-aware admin's
without the resources and contacts to keep abreast of these issues be
somewhat aided, rather than making them hope for early retirement in 10/92.
-- 
Ralph Shaw		ras at sgfb.ssd.ray.com
Raytheon Company, Submarine Signal Division, Portsmouth, RI



More information about the Comp.unix.internals mailing list