BSD tty security

Arthur W. Protin Jr. protin at pica.army.mil
Tue May 14 02:03:52 AEST 1991


Folk,
    I am getting very tired of the foolishness, personal attacks, and
(seeming) evilness going on in this thread on tty security.  Dan
posted a warning about a pretty serious security hole and more importantly
about the indifference vendors have about fixing it. He threatened/promised
to release a complete break-and-enter kit far enough into the future that
any viable vendor could act to protect their products.  He even included
a step-by-step recipe for closing the hole.
    Then comes the demands for the details to be released now.  With the
exception of Keith Muller's postings, and those supporting Dan's position,
the majority of postings in this thread have been nonsense or
maliciousness.  One poster who complained bitterly that Dan would not
give him the dirt turned out to be from a vendor that, according to the
poster, makes a unix variant that includes none of the problem code.
Why should that poster need the code, except for malicious purposes?

    THE CODE THAT DAN IS WITH HOLDING IS THE CODE THAT EXPLOITS THE
SECURITY BUG.  It is not needed to fix the code.  It is useful for
testing the fixes.

    Thus, I find the following posting to be logically flawed:
> System administrators are notably busy all the time, whereas idle
> hackers usually (by definition) have a great deal of idle time.
> Who do you suppose is going to be able to react better to a few
> hints, an overworked system administrator or some eager hacker?
System administrators don't need to deal with the hints!  Follow
the recipe.  Leave the hints and/or other dealings with Dan to the
systems programmers who commit to fixing the problem completely
(for at least a significant set of machines).  If you can not work
from his plan, you will not be able to anything more with the details
except exploit the bug!

    Other than following Dan's step-by-step repair proceedure, SA's
can start to pressure their suppliers to fix or commit to fix the
bug.

    As for the suggestion that undergraduate students could help
solve the problem, Dan has already given them an assignment.  In
a year and a half, take the break-and-enter kit and test every
system within reach.  The dozens of machines here will only get 
fixed when the vendor supplies us with good code.  What makes
anybody think that there is a shortage of technical fixes?  The
BIGGEST problem is BUREAUCRACY and INDIFFERENCE at the vendors.
We need a few good law suits or contract penalty clauses to motivate
them.

Thank you, I just had to get that of my chest.

    Arthur Protin


Arthur Protin <protin at pica.army.mil>
These are my personal views and do not reflect those of my boss
or this installation.



More information about the Comp.unix.wizards mailing list