Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994

Tim Scanlon (tfs@vampire.science.gmu.edu)
Tue, 29 Nov 1994 23:57:53 -0500 (EST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Neil Woods: "Re: your mail"
Previous message: That Whispering Wolf...: "Security through obscurity, etc."
In reply to: Pat Myrto: "Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994"
Next in thread: Paul 'Shag' Walmsley: "Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994"

	These holes in SCO have been around since 92 that I'm aware of...

	Unfortunatly the circumstances in which I've discovered holes in SCO
	have not been such that I could disclose them, and I still can not
	discuss what I know of them.

	What's sad though, is that when someone finally get's off their
	butt's & looks at the OS, & finds problems, and is in a position to
	do something about them as far as spreading information and fixes,
	we end up with a bunch of utter crap.

	These latest 8lgm notices are utterly worthless. TOTALY AND COMPLETLY
	WORTHLESS. In fact, since the do NOT point out how or where the problems
	exist, they are ONLY hacker bait. 

	Especially in this case. SCO is primarily used as a "buisness" OS, and
	is marketed as such. (I could go on about a load of goods & bridges for
	sale but I won't rant) The problem is however that because this is the
	case, most administrator's are under that much more performance pressure
	in general than those in the research & scienctific sectors. They have
	even LESS time to worry about how to fix it.

	On the other hand, they also face the greater threat to "internal"
	hacks by "disgruntled" or dishonest employees as well. So it's a 
	double whammy. As well real data is probably the target in that case,
	not just net access or "getting r00t to sT0rE mY wArEZ" or many of the
	other more commonly blamed (read admitted to) security issues.

	In any event, the notices amounted to little turds in my mailbox,
	and I'd kindly appreciate it if I could be spared a huge list of
	problems without any fixes or adequate descriptions posted to a
	list I subscribe to that's supposed to be about _full_disclosure_.
	Or at least summarize them into *1* mailing for god's sakes. 
	Considering HOW LITTLE information was in those "notices" they could
	have easily fit in ONE notice.

	Not only that, we get treated to a cross-posting-by-the-clueless from
	USENET... This is why I unsubscribed to Firewalls...

	I don't need my packets wasted by this sort of crap. If there's some
	NEED to atone for the terrible sin of lobbying through disclosure,
	or actually embaressing a vendor to get of their butt's and fix
	security problems (Oops, I fogort about Sun... that ~does~ sort of blow
	that argument outta the water... BugOS anyone?) well you get my drift.
	In any event, I can certinly see both sides of the disclosure coin.
	But this latest crap isn't doing anyone any favors. 

	In any event, please leave non-disclosure vapor-alerts on USENET where
	they belong, and not on a disclosure oriented mailing list. The creeping
	clulessness represented by the cross-posting from there is depressing
	enough.


		Tim Scanlon


___________________________________________________________________________________
tfs@gravity.science.gmu.edu			My opinions are my own, obviously! 
tfs@viper.signalcorp.com

Next message: Neil Woods: "Re: your mail"
Previous message: That Whispering Wolf...: "Security through obscurity, etc."
In reply to: Pat Myrto: "Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994"
Next in thread: Paul 'Shag' Walmsley: "Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994"