SECURITY BUG IN INTERACTIVE UNIX SYSV386
Bill Kennedy
bill at ssbn.WLK.COM
Thu Feb 14 11:47:56 AEST 1991
In article <483 at stephsf.stephsf.com> wengland at stephsf.stephsf.com (Bill England) writes:
>
> The program crashes with a memory falt on SCO ODT 1.0 on a system
> with an fpu.
That's good to know. I've not had a whole lot of complimentary things to
say about ODT, this is important enough to remember.
> I have serious reservations about this kind of post. While as an
> system administrator system I want to know, at the same time it
> is similar to giving handguns to a bunch of street thugs.
No, I completely disagree. The street thugs already had the handguns and
they were already pointed at our heads, this just gave us fair warning so
that we could defend ourselves. I read the article with mixed emotions
because I took a rather extreme defense. I have an NCR Tower who has
custody of all connections to the outside world and all user access other
than a couple of people that I can go strangle if they betray me. That is
*very* extreme, but I have been successfully attacked and vandalized so my
paranoia has some basis. I think the post was completely correct and proper
because he made it clear that he had notified ISC and they had either
stonewalled or ignored him. I would prefer to believe that ISC didn't
know about the hole but my personal opinion is that they knew and shipped
anyway.
> The only way to protect ourselves, for now, is that those who have
> read the posting should inform their system administrators that the
> bug exists and the system admins can ask (Tell) everyone to not do
> it.
I would take it a step farther. I would delete or inactivate any user
account that you do not know and trust. That can be a touchy situation
sometimes but necessary if you place any value on the security of your
system and its contents. I think that you must presume that someone will
get mischievious and take a joy ride. Even experts can bruise the foliage
in a high speed chase.
>--
> +- Bill England, wengland at stephsf.COM -----------------------------------+
> | * * H -> He +24Mev |
> | * * * ... Oooo, we're having so much fun making itty bitty suns * |
> |__ * * ___________________________________________________________________|
I'm rather surprised at how calm and quiet everyone is about this. For the
purpose of making my point I'll ASSume that Interactive knew about this and
didn't tell anyone. I have no such evidence but it illustrates my point.
Your (and my) UNIX vendor shipped an operating system that they _knew_ had
a huge gaping security hole in it. They took your money and exposed you to
Lord knows what. Now, after (if we're to believe the original article and I
do) several days, there's no confirmation or denial from Interactive and no
howls of outrage from those standing in the wind with their bathrobes at half
mast. I guess that this confirms what I believe was their opinion in the
first place, who cares? Well damn it! I care! Maybe I care too much and
have a gatekeeper to keep joy riders out, but I think that each and every one
of you should care and should care more than I do. On the other hand, maybe
we are just hobby players, maybe these systems are toys, don't produce any
meaningful work, cost $$ within discretionary budgets, or we're just amateurs
who don't understand the consequences of a rogue with root permissions.
--
Bill Kennedy usenet {att,cs.utexas.edu,pyramid!daver}!ssbn.wlk.com!bill
internet bill at ssbn.WLK.COM or attmail!ssbn!bill
More information about the Comp.unix.sysv386
mailing list