Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.1 6/24/83; site itm.UUCP Path: utzoo!watmath!clyde!burl!ulysses!mhuxr!ihnp4!houxm!whuxl!whuxlm!akgua!gatech!itm!danny From: danny@itm.UUCP (Danny) Newsgroups: net.unix-wizards Subject: Re: Publicizing Security Issues Message-ID: <237@itm.UUCP> Date: Thu, 7-Mar-85 10:49:11 EST Article-I.D.: itm.237 Posted: Thu Mar 7 10:49:11 1985 Date-Received: Sun, 10-Mar-85 05:11:43 EST References: <115@mot.UUCP> Reply-To: danny@itm.UUCP (Danny) Organization: In Touch - Atlanta, GA Lines: 22 Summary: Those with binary-only license are vulnerable. In article <115@mot.UUCP> al@mot.UUCP (Al Filipski) writes: > > ...For one thing, a problem stands a much >better chance of being fixed if it is well-known. Second, with >the proliferation of UNIX, there are a great many inexperienced >administrators out there who are sitting ducks.... Although I do agree that well-known problems stand a better chance of being fixed, those of us with binary-only UN*X can't fix 'em even if we wanted to (and getting the supplier to do so is like scraping gums!). I think that publishing "10 ways to become root" would leave many systems vulnerable for at least a couple of months: the time it takes for Software Change Requests to be acted upon and the tape of the offending program(s) (kernal?) returned. The policy used in the past on this net is to send the description of the security hole(s) only to "root" by mail. -- Daniel S. Cox ({gatech|akgua}!itm!danny)