Path: utzoo!attcan!uunet!ginosko!brutus.cs.uiuc.edu!psuvax1!psuvax1!schwartz From: schwartz@psuvax1.cs.psu.edu (Scott Schwartz) Newsgroups: comp.unix.wizards Subject: Re: sendmail/ftpd security-holes raise their ugly heads again... Message-ID:Date: 27 Sep 89 19:59:34 GMT References: <21@minya.UUCP> <19837@mimsy.UUCP> Sender: news@psuvax1.cs.psu.edu Organization: Pennsylvania State University, computer science Lines: 23 In-Reply-To: chris@mimsy.UUCP's message of 27 Sep 89 17:18:54 GMT In article <19837@mimsy.UUCP> chris@mimsy.UUCP (Chris Torek) writes: I am tempted to avoid flames by not saying anything at all, but I agree with the assertion (perhaps implicit, I forget whether it was in the text I deleted) that vendors should have fixed it by now. I know, though, that some have not, and so I am not going to post the trick right now. I don't understand. Isn't it the case that 90% of the hackers in the universe have already heard about this bug? I mean, what exactly are we keeping secret? There is a bootstrap problem here: until there is pressure to fix things, things will not get fixed; until things get fixed, there is pressure not to disclose the bugs. . . . Last year Weemba-from-Berkeley loudly proclaimed that in a years time everyone would be back to sleep on this issue. Guess what, looks like he was right. I'm pretty well convinced that silence is futile. -- Scott Schwartz for h in `cat /etc/hosts`; do telnet $h smtp; done; Now back to our regularly scheduled programming....