George Seibel (firstname.lastname@example.org)
9 Nov 88 03:25:16 GMT
In article <In article <email@example.com> dre%ember@Sun.COM (David Emberson) writes:
>In article <2060@spdcc.COM>, eli@spdcc.COM (Steve Elias) writes:
>> "Wormer" Morris has quite a career ahead of him, i'll bet.
>> he has done us all a favor by benevolently bashing bsd 'security'.
>I knew about this sendmail bug at least four years ago, courtesy of Matt
>Bishop (now at Dartmouth). He wrote a paper detailing at least a half dozen
>holes in the Unix system and methods for constructing trojan horses which was
>so dangerous that he responsibly decided not to publish it, but instead to
>give selected copies to people who could fix some of the problems. He also
>wrote an article for the Usenix newsletter, ;login, which explained how to
>write secure setuid shell scripts--a major source of security holes. Matt did
>not "benevolently bash" anyone's machines. His behaviour, while unsung by
>the press and the Usenet community, is an example of the highest in profession-
>al and academic standards. This is the kind of behaviour that we should be
In all due respect, why? It didn't seem to be very effective in closing
the hole in sendmail. Now that everyone is coming out of the woodwork
exclaiming that they've known about this bug for years, I can't help but
wonder why it wasn't fixed. There were a lot of people running around
a couple of weeks ago under the blissful assumption that their computers
were reasonably secure - they had done all the "right" things, vis a vis
file protections, setuid scripts and the like, and all the while, *anyone*
with the appropriate knowledge (and apparently a lot of people had it)
could have done *anything* they wanted to your machine! Perhaps that
was no great surprise to many readers of this newsgroup. Fine. If that's
the way people want it, then let's be up front and print a warning on
each copy of system software that ships: "Congratulations! You just
bought a fine copy of Unix. Don't keep any files you care about on it."
If we have security holes on our machines that are well known, and we
do nothing to patch those holes, we are asking for trouble.
This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:44:29 GMT