Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!wasatch!cs.utexas.edu!uunet!seismo!esosun!cogen!celerity!celit!dave
From: dave@celerity.uucp (Dave Smith)
Newsgroups: comp.protocols.tcp-ip
Subject: Re: the worm and internet security
Message-ID: <433@celit.UUCP>
Date: 15 Aug 89 23:12:34 GMT
References: <8907280211.AA09340@asylum.sf.ca.us> <24248@santra.UUCP>
Sender: news@celerity.UUCP
Reply-To: dave@celerity.UUCP (Dave Smith)
Organization: FPS Computing Inc., San Diego CA
Lines: 28

In article <24248@santra.UUCP> jkp@cs.HUT.FI (Jyrki Kuoppala) writes:
>The Berkeley ucb-fixes list already does a very good job at this -
>but apparently it isn't enough, as many vendors seem to neglect the
>security fixes which Berkeley puts out.  For example, how many have
>fixed the one with rshd and rlogind accepting connections from ports
>under 512 ?  It seems that someone has to make public the information
>how to use the bug before the vendors believe it.

One problem we have had in implementing the fixes is the reluctance of
BSD to explain what the problem is!  Our code has diverged from the
BSD stuff in parts and receiving a ten-line context diff which doesn't
apply to our code and "fix this now!" is really not very helpful.  
Especially since in order to be sure that we've fixed the bug we need to
know what the bug is so we can test it afterwards.  In addition, since 
our architecture is different from the VAX some bugs (like the fingerd 
hole) don't happen on our machine or may happen in a different way.

The idea of a security list circulating amongst the vendors and then going
public after a few months is an excellent idea.  Pretending the problems
don't exist is silly.

(these views, of course, are mine and not the property of FPS Computing,
 who would probably disown me if they knew the kind of silly stuff I have
 been posting)
David L. Smith
FPS Computing, San Diego
ucsd!celerity!dave
"Repent, Harlequin!," said the TickTock Man