Path: utzoo!utgpu!watmath!att!tut.cis.ohio-state.edu!cs.utexas.edu!uunet!mcvax!tuvie!tugiaik!plipp
From: plipp@tugiaik.UUCP (Peter Lipp)
Newsgroups: comp.sys.apollo
Subject: Re: security bug
Summary: Hope I caused no troubles
Keywords: apollo,domain_os,aegis,display manager
Message-ID: <109@tugiaik.UUCP>
Date: 9 Aug 89 11:09:58 GMT
References: <108@tugiaik.UUCP>
Organization: none
Lines: 49

In article <108@tugiaik.UUCP>, plipp@tugiaik.UUCP (Peter Lipp) writes:
> 
> Possible Security Problem with DOMAIN-OS and the Display-Manager
>

Keith Dawson of Apollo/Hp writes in another article:

   > We regret the broad dissemination of detailed instructions for exploiting
   > a security hole.
	  
I answered him as follows:

> I personally do not think and hope that my posting will do considerable harm. My opinion is that
> the best way to prevent the misuse of such holes is to publish them so that everybody
> is aware of the problem. I now there might occur situations where the wrong people might
> become aware and the right people might not. 
> 
> I think there might be lots of users out there not going to change to 10.2 and not knowing and
> getting the patches automatically. And there might be other smart students or users who
> find out about this possibility and misuse it. This I consider the worse case.
> 
> Furtheron you might have informed at least local representatives to enable them to
> answer my inquiries about a month ago. If they had known about the problem, I surely would
> not have posted that stuff.
> 

I would like to hear from you what you think about this - do you prefer to know about existing
security bugs or do you prefer not to be aware of.

There is an easy but tedious way to prevent this until the August 1989 patch tape is available 
(here, in Austria, in September): Just type in a wrong password. This should do for a while. Then
check if your keyboard has been redefined and change your password immediately.

Are there any better suggestions out there?

I truely hope not having caused troubles somewhere, which I would regret.

Please post your reactions - and send a copy by email to me directly.

Peter


Peter Lipp - Institute for Applied Information Processing
University of Technology, Graz, Austria
plipp@tugiig.uucp - plipp@tugiig.at - mcvax!tuvie!tugiig!plipp
-- 
Peter Lipp - Institute for Applied Information Processing
University of Technology, Graz, Austria
plipp@tugiig.uucp - plipp@tugiig.at - mcvax!tuvie!tugiig!plipp