Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Compaq CIM UG Overwrites Legal Notice
From: Valdis.Kletnieks () VT EDU (Valdis.Kletnieks () VT EDU)
Date: Sun, 5 Sep 1999 03:28:53 -0400

On Wed, 01 Sep 1999 18:07:32 PDT, "Free, Bob" <RWF4 () PGE COM>  said:
reboot. When the installation is completed after rebooting, these keys are
cleared and your legal notice is gone.

Having installations that blow away files *intended* for user configuration
is always Very Bad Juju.

If your security policies are reliant on legal notices this is not a good
thing. (...)

OK.. I admit I'm reading it at 3AM, and it took 3 retries before I parsed
this sentence the way you intended.  I kept reading it as "this" being
the reliance, not the bug. It took 2 more reads before it sank in that
parsed either way the sentence was still probably true.  Having legal
notices dissapear is a Bad Thing, and having policies that require them
may be a Bad Thing too...

Can anybody out there cite case law or statute where having a legal
notice actually makes a difference, in the case of a scriptz kiddy
exploit that rarely, if ever, sees a legal notice?  I'm aware of
the old "welcome to VMS" issue regarding the lack of a notice when the
user logged in normally.  This is the opposite - entering a system
via a means never intended to have a legal notice.  Could a login
banner be self-defeating, if a hacker doesn't login?

In any case, if your security policies are *reliant* on notices, as
opposed to including them as one *small* part of a total solution,
you're probably already 0wned... ;)

                                Valdis Kletnieks
                                Computer Systems Senior Engineer
                                Virginia Tech

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]