SECURITY BUG IN INTERACTIVE UNIX SYSV386

Bill Kennedy bill at ssbn.WLK.COM
Thu Feb 14 11:47:56 AEST 1991 

In article <483 at stephsf.stephsf.com> wengland at stephsf.stephsf.com (Bill England) writes:
>
>   The program crashes with a memory falt on SCO ODT 1.0 on a system
>   with an fpu.

That's good to know.  I've not had a whole lot of complimentary things to
say about ODT, this is important enough to remember.

>   I have serious reservations about this kind of post.  While as an
>   system administrator system I want to know, at the same time it
>   is similar to giving handguns to a bunch of street thugs.

No, I completely disagree.  The street thugs already had the handguns and
they were already pointed at our heads, this just gave us fair warning so
that we could defend ourselves.  I read the article with mixed emotions
because I took a rather extreme defense.  I have an NCR Tower who has
custody of all connections to the outside world and all user access other
than a couple of people that I can go strangle if they betray me.  That is
*very* extreme, but I have been successfully attacked and vandalized so my
paranoia has some basis.  I think the post was completely correct and proper
because he made it clear that he had notified ISC and they had either
stonewalled or ignored him.  I would prefer to believe that ISC didn't
know about the hole but my personal opinion is that they knew and shipped
anyway.

>   The only way to protect ourselves, for now, is that those who have 
>   read the posting should inform their system administrators that the
>   bug exists and the system admins can ask (Tell) everyone to not do 
>   it.

I would take it a step farther.  I would delete or inactivate any user
account that you do not know and trust.  That can be a touchy situation
sometimes but necessary if you place any value on the security of your
system and its contents.  I think that you must presume that someone will
get mischievious and take a joy ride.  Even experts can bruise the foliage
in a high speed chase.

>-- 
> +-  Bill England,  wengland at stephsf.COM -----------------------------------+
> |   * *      H -> He +24Mev                                                |
> |  * * * ... Oooo, we're having so much fun making itty bitty suns *       |
> |__ * * ___________________________________________________________________| 

I'm rather surprised at how calm and quiet everyone is about this.  For the
purpose of making my point I'll ASSume that Interactive knew about this and
didn't tell anyone.  I have no such evidence but it illustrates my point.

Your (and my) UNIX vendor shipped an operating system that they _knew_ had
a huge gaping security hole in it.  They took your money and exposed you to
Lord knows what.  Now, after (if we're to believe the original article and I
do) several days, there's no confirmation or denial from Interactive and no
howls of outrage from those standing in the wind with their bathrobes at half
mast.  I guess that this confirms what I believe was their opinion in the
first place, who cares?  Well damn it!  I care!  Maybe I care too much and
have a gatekeeper to keep joy riders out, but I think that each and every one
of you should care and should care more than I do.  On the other hand, maybe
we are just hobby players, maybe these systems are toys, don't produce any
meaningful work, cost $$ within discretionary budgets, or we're just amateurs
who don't understand the consequences of a rogue with root permissions.
-- 
Bill Kennedy  usenet      {att,cs.utexas.edu,pyramid!daver}!ssbn.wlk.com!bill
              internet    bill at ssbn.WLK.COM   or attmail!ssbn!bill

More information about the Comp.unix.sysv386 mailing list