SECURITY BUG IN INTERACTIVE UNIX SYSV386

[John G. DeArmond]

wengland at stephsf.stephsf.com (Bill England) writes:

>   I have serious reservations about this kind of post.  While as an
>   system administrator system I want to know, at the same time it
>   is similar to giving handguns to a bunch of street thugs.

>   The only way to protect ourselves, for now, is that those who have 
>   read the posting should inform their system administrators that the
>   bug exists and the system admins can ask (Tell) everyone to not do 
>   it.

Actually, I was thinking quite the opposite.  This little experience
is the shining example of why security-by-obscurity does NOT work and
why ALL security holes should be reported widely.

Look at what happened:

Our friend at dobag tried for over 6 months to quietly work with ISC 
and get the bug fixed.  Aside from his getting the usual it's-not-a-bug-
its-a-feature runaround,  consider what would have happened if ISC HAD
addressed the problem when he originally reported it.  They'd have most
likely packaged the fix - if they could have managed to get it right 
(shades of the inode bug) - in their next "upgrade" for which a hefty
fee would be charged and which those who don't pay the support extortion
would not know about.  This fix might have come out in 6 months or it 
might have taken a year or who knows.

But suppose they'd fixed it correctly and responded with free fixes to 
every owner.  The owners of other brands of V3 would have remained just
as exposed.  Even if the cumbersome CERT mechanism had lumbered into
action, it would have still been months before fixes got implemented 
with other vendors and still longer before they hit the streets.  And 
with the fanatical obsession with secrecy and obscurity among the 
CERT-types, none of us would have known exactly what "security chasm"
had been filled.

As this event traspired, in less than 2 days, all the common Unixes had
been tested, the test results posted here, workarounds developed (so you
have to buy a 387 - big deal if you system really needs the security)
and last but not least, we now most likely have people poking around 
looking for related problems.  (Everybody so hacking raise your hands now..
Hmm, yep, thought so :-)  

As the system owner and administrator, I got to exactly evaluate the risk
and decide what to do about it.  Since I chose long ago not to rely on 
permissions to protect sensitive data files, all such information is
stored encrypted.  I can therefore decide not to spin in place and lose 
sleep over the problem.

I say "THANK YOU" to all the people involved.  The system of free flowing
information work again.

John

-- 
John De Armond, WD4OQC        | "Purveyors of speed to the Trade"  (tm)
Rapid Deployment System, Inc. |  Home of the Nidgets (tm)
Marietta, Ga                  | 
{emory,uunet}!rsiatl!jgd      |"Politically InCorrect.. And damn proud of it