BSD tty security, part 4: What You Can Look Forward To
Dan Bernstein
brnstnd at kramden.acf.nyu.edu
Thu May 2 12:45:05 AEST 1991
In article <13266 at goofy.Apple.COM> erc at Apple.COM (Ed Carp) writes:
> In article <26844:May100:59:2591 at kramden.acf.nyu.edu> brnstnd at kramden.acf.nyu.edu (Dan Bernstein) writes:
> >Let me be more explicit. I consider vendors to have a legitimate
> Oh? I do consulting for a vendor, notably Apple.
Fine. So tell someone working on A/UX to get in touch with me.
> I also do consulting
> for a number of very large companies in the bay area, notably a very large
> public utility.
[ ... ]
> IMHO, your attitude is irrational. How many sites do I have to administer
> to qualify? One? Five? A hundred?
[ ... ]
> You haven't addressed the issue of whether I'm a cracker or not. Being a
> system administrator of a hundred systems doesn't prove you're a good guy,
> any more than being the administrator of one makes you a bad guy.
Somehow certain people have formed the mistaken impression that I have
been treating large sites differently from small sites. As I have tried
to explain, I do *not* see a fine line between the administrator of one
machine and the manager of a network of ten thousand machines. I have
not made and will not make a policy of sending break code to anyone who
asks---exactly *because* wide distribution of the code will eventually
reach the ``bad guys'', will affect practically every UNIX machine on
the Internet, and won't be traceable. So (as Dave Hayes can assure you)
I haven't been sending code to people merely because they manage a
``large enough'' network.
Would you like to reevaluate my ``irrational'' position, now that you
have some idea of what my position actually is?
> There's NO WAY that you're going to
> get all vendors to distribute fixes, let alone distribute them FOR FREE.
If a vendor doesn't react by October 1992, its systems will be open to
attack by any novice with rn and cc. Don't get the idea that I trust
vendors to fix problems; I just want to give the more sensible ones a
chance to clean up their act. I suspect that at least some will react.
I'd like to request once again that people read my articles before
spouting off about the proper distribution of security information. I
*have* posted fixes, not just complained about these holes. I have *not*
indicated that large sites are getting any special treatment, nor have I
been giving them any special treatment. I *have* set a date for
distributing code---a date far enough in the future that any concerned
vendor can fix its systems.
This may not be the optimal policy for handling a security hole, but
it's the best policy I've come up with, and I'm not going to listen to
complaints from people who can neither formulate a consistent
alternative policy nor think through its effects. The intelligent man
does not criticize what he cannot improve.
---Dan
More information about the Comp.unix.wizards
mailing list