Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.1 6/24/83; site itm.UUCP
Path: utzoo!watmath!clyde!burl!ulysses!mhuxr!ihnp4!houxm!whuxl!whuxlm!akgua!gatech!itm!danny
From: danny@itm.UUCP (Danny)
Newsgroups: net.unix-wizards
Subject: Re: Publicizing Security Issues
Message-ID: <237@itm.UUCP>
Date: Thu, 7-Mar-85 10:49:11 EST
Article-I.D.: itm.237
Posted: Thu Mar  7 10:49:11 1985
Date-Received: Sun, 10-Mar-85 05:11:43 EST
References: <115@mot.UUCP>
Reply-To: danny@itm.UUCP (Danny)
Organization: In Touch - Atlanta, GA
Lines: 22
Summary: Those with binary-only license are vulnerable.

In article <115@mot.UUCP> al@mot.UUCP (Al Filipski) writes:
>
>                       ...For one thing, a problem stands a much
>better chance of being fixed if it is well-known.  Second, with
>the proliferation of UNIX, there are a great many inexperienced
>administrators out there who are sitting ducks....

    Although I do agree that well-known problems stand a better
chance of being fixed, those of us with binary-only UN*X can't
fix 'em even if we wanted to (and getting the supplier to do
so is like scraping gums!).

    I think that publishing "10 ways to become root" would leave
many systems vulnerable for at least a couple of months: the time
it takes for Software Change Requests to be acted upon and the tape
of the offending program(s) (kernal?) returned.

    The policy used in the past on this net is to send the description
of the security hole(s) only to "root" by mail.
-- 
				Daniel S. Cox
				({gatech|akgua}!itm!danny)