SECURITY BUG IN INTERACTIVE UNIX SYSV386

Garry M. Paxinos pax at megasys.com
Mon Feb 18 20:54:42 AEST 1991 

In article <1991Feb18.004416.12447 at ddsw1.MCS.COM> karl at ddsw1.MCS.COM (Karl Denninger) writes:
   Flame gun on nuclear holocost setting:
	   Look, folks.  You published 2.2 while KNOWING FULL WELL that the
	   problem was there.  The release notes even hint that you knew about
	   it in 2.0.2 or before -- certainly before 2.2 came out.

And obviously they knew about it when the 2.2.1 update came out...

	   Now you've really done it.  I hope your company gets sued for gross
	   negligence and you go bankrupt.  

I am absolutely positive it (legal action) is being looked into...

	   It is one thing to publish a product with a problem like this.  It
	   is another entirely to do so with full knowledge of the hole, the
	   damage it will cause when exploited, and simply not care.  That is,
	   generally, the definition of gross negligence.  It is akin to
	   selling a person a car with known defective brakes.

Agreed.  

	   There is lots of evidence of this "I don't care" attitude -- the
	   fact that the bug was reported to you more than 6 months ago and
	   ignored, and the published description of a "fix" in the release
	   notes for 2.2.  Of course what's not in the 2.2 release notes is
	   that if you apply the fix, and don't have a math chip, the system
	   will then not be able to do any floating point math!

Not to beat a dead horse, but the fact that 2.2.1 did not address the 
'feature' proves the above sentiment beyond all shadow of a doubt.  

[...]

   >The anticipated availability date of the bug-fix is February 22nd.
   >
   >Marty C. Stewart
   >Support Team Leader
   >Interactive Systems Corp.

   You and your entire crew deserve to be fired.  ISC has deliberately done
   this.  The "support team" appears to have deliberately ignored the report 
   of this bug for at least 6 months.  It is a >fact< that the problem was
   known when 2.2 was released.

And in 2.2.1, there simply is NO excuse.  Zero, None, NADA!  Get my drift..

Let's look at this, 2.2 came out around May 90 (right?),  2.2.1 came out in
early Dec 90, it's now mid Feb 91 ...  hmmm.. almost a year... and still
no fix...  When did ISC get AT&T's 3.2.1 which apparently included the
fix?   

   Perhaps Kodak will take this seriously enough to enforce some real 
   discipline from the top level down -- and replace all of you.

I certainly hope so...

   (flame gun off)

Ahh, in this case, leave the flame thrower on...  they deserve it!

pax
--
E-Mail:pax at megasys.com    pax at ankh.ftl.fl.us    gmp at pinet.aip.org
USNail:Megasystems, Inc.    2055 South Congress Ave,  Delray Beach,  FL  33445
UUCP  :{gatech!uflorida!novavax!ankh,   mthvax,  shark,   attmail}!megasys!pax
Voice :407-243-2405   Data: 407-243-2407  Fax: 407-243-2408   Telex: 156281499
          "This is America, Right?!?!?"  member of 2 Live Crew

More information about the Comp.unix.sysv386 mailing list