BSD tty security, part 4: What You Can Look Forward To

[Dan Bernstein]

In article <732 at seqp4.UUCP> jdarcy at sequoia.com (Jeff d'Arcy) writes:
> Now it's on my list of things to fix.  Big deal.  Except for the publicity,
> there's nothing to distinguish this bug from the sort of stuff that I and
> thousands of other OS developers at dozens of companies have seen every day
> for years.  Maybe Dan, Ian, and Paul's excitement can be explained by the
> observation that just about anything is exciting the first few times.

Maybe I found it exciting when I first found it and announced it a few
years back, but by now it's simply tedious to see each vendor introduce
one kludge after another, each of which is supposed to solve the problem
and none of which actually does.

> Believe me, kids: there are dozens of bugs in *every OS in the world* that
> would horrify users and administrators alike if they were ever made known.

Look, kid, I'm sure we all know our share of holes in each system. Holes
that crash the machine, holes that aren't auditable, holes that break
root, holes that have been known and complained about for years.

But how many of those holes appear in over a million machines from
dozens of vendors? How many of them have been ``fixed'' in at least
nine different ways---five separate times in one system alone?

This is not a minor problem, and it's not going to magically disappear.
Most holes only appear in one system at a time, and are fixed rather
quickly. To exploit this one I can run essentially the same code on
week-old releases from all the major vendors as I had years ago. So can
anyone else.

Get a sense of perspective, Jeff!

---Dan