SECURITY BUG IN INTERACTIVE UNIX SYSV386

Rob Healey rhealey at digibd.com
Sat Feb 23 05:02:14 AEST 1991 

In article <1991Feb19.042353.27075 at chinet.chi.il.us> pdg at chinet.chi.il.us (Paul Guthrie) writes:
>I'm sick of people calling this a "gaping
>kind-you-can-drive-a-truck-through hole" in UNIX security.  If it
>was so gaping, how come it has never come up here before, like so
>many other obscure problems?  ISC was fixing this, and if that
>idiot had kept his mouth shut, it would have been fixed in time,
>without many of us rushing out to buy coprocessors. 

[ More "blaming the victim" deleted. ]

	AT&T fixed the bug quite a while ago. SCO and Dell did too. The
	reason most of us are shocked is because of the fundemental
	nature of this bug/"feature" and the implecations that it makes
	toward responsibility of vendors. The bug IS a
	"gaping kind-you-can-drive-an-ocean-liner-through-hole" in UNIX
	security. Do you SERIOUSLY think that ISC would have fixed this
	bug WITHOUT all this negative publicity? I SINCERLY doubt it due
	to the fact they DOCUMENTED it and let it slide for well over a year
	after AT&T found it.

	This is a VERY sad statement for the state of software vendors today.

	What's even sadder is that "shrink wrap" license that protects
	EVERY software vendor from being responsible for ANYTHING. REALLY
	read that disclaimer sometime, all fault is shoved on the USER
	and NOT the provider. EVERY piece of software you have has this
	on it, NO vendor is responsible for the software they produce.
	THAT is the saddest part of all of this. The software industry
	has 0/ziltch/nada/none legal responsibility to the user
	community. The only "bone" thrown to a user is that some companys
	MIGHT choose to be morally responsible...

	By the agreement on the ISC boxes, ISC CAN NOT BE HELD RESPONSIBLE
	for ANY damages resulting from use, or misuse, of their product.

	EVERY piece of software you "own" is the same. I would be VERY
	surprised if anything legal came out of this. As one person
	already said, the ONLY thing software companys are legally
	bound to do is provide you with defect free media; NOTHING else.

	Think about it...

		-Rob

Speaking for self, not company.

More information about the Comp.unix.sysv386 mailing list