Should Dan post full details of his tty bugs?
Jamie Mason
jmason at gpu.utcs.utoronto.ca
Thu May 9 17:10:58 AEST 1991
Too much quoting... The citations are too munged to figure out
who posted what:
> I disagree. I _don't_ have sources and I _do_ have lots
> of idle undergrads lapping up this discussion and dying
> for all the damaging details to be posted. Dan is doing
> exactly the right thing for my predicament.
> You are in a fool's paradise. At least one of your undergrads is
> smart enough to figure out what to do with the hole given the
> clues already posted and to cover himself after using it. For as
konczal at sunmgr.ncsl.nist.gov (Joe Konczal) writes:
> If Dan posted full details, those who don't have the source to their
> operating systems would still be unable to close the loopholes, but
> many other undergrads, who are not smart enough or motivated enough to
> figure it out on their own, would now know how to abuse these
> loopholes.
First of all, security through obscurity isn't. There is never a
good reason to hoard information. But that's been said about 5 times in
this thread already. My main point is below:
From the above three citations I would be lead to beleive that
undergraduate students are some kind of strange animal, suitable for
a zoo. I can speak for myself and my peers, while the zoo part maybe
true on, say Saturday night, :-) we are not vicious animals, we don't
bite. Really.
You know it seems that that inciting such an atmosphere that
students and administrators are enemies is a *bad thing*. If you treat
students like untrustworth scum, they'll treat you like a totallitarian
dictator. It's not good for either party. It makes life much more
difficult for administration, and much less fun for students.
If I figured out the bug, I would probaby do it once, just to see
that it works, issuing such a damaging commands as 'whoami' or 'id' as
root to see that it worked. Then I would show the problem to the
system administrator. You see we don't have a large reservoir of
MALICE, we have a large reservoir of CURIOSITY. That is the way it is
supposed to be in a leraning environment, right?
I few months ago, I found that the system was leaving world
readable VMCOREs (i.e. dumps of system memory at crash time). I thought
it might be fun to read other people's process memory at crash time.
After pondering the ethics (curiosity vs privacy) for about an hour, I
came to the conclusion that no matter how much fun it would be, that data
was NOT MINE TO READ, so I did not read it. Rather, I wrote a message to
the system administrator about the problem.
Did it ever occur that some of these "idle undergrads" could
actually *SOLVE* your problem for you. Armed with the details of the
bugs, someone could first check if they exist, (OH MY GOD! EXPLOIT THEM!
RUIN THE SYSTEM!!! Take a valium.) and then perhaps even *FIX* them for
you, given read access to the appropriate source code. I am sure that
there is at least ONE student at each site capable enough at kernel
hacking to fix the tty bugs.
Come on people, we want to all use the computer in harmony,
right? Let's nurture an atmosphere of friendship and respect, not
enimity and fear.
Jamie ... Segmentation fault (core dumped)
Written On Thursday, May 9, 1991 at 03:09:58am EDT
More information about the Comp.unix.wizards
mailing list