Vendor Responsibility -- example
Matt Crawford
matt at oddjob.uchicago.edu
Wed Nov 16 02:01:41 AEST 1988
On the subject of vendor responsiveness to, and responsibility for,
security holes, a friend at a large commercial site sent me this,
and permission to post it. It describes that site's discovery of
the anonymous ftp bug approximately ONE YEAR ago.
> It was rather odd how we discovered that one. The Sun rep "stationed"
> at [this site] was doing alot of ftp activity one day (enough so that
> we noticed). I just happened to move over to the offending Sun while
> said Sun rep was in the ladies room. She had left the ftp nasties on
> her screen and when I saw what was happening I COULDN'T BELIEVE IT.
> So the Sun rep never showed/informed us of the bug; we informed her of
> the bug after noticing her screen.
You might keep in mind that one Sun employee's knowledge of the problem
does not imply that any other employee knew of it, but it is clear that
at some level there was what the internet community seems to consider
"irresponsible behavior".
Matt Crawford
More information about the Comp.unix.wizards
mailing list