Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994

[tfs () vampire science gmu edu (Tim Scanlon)]

        These holes in SCO have been around since 92 that I'm aware of...

        Unfortunatly the circumstances in which I've discovered holes in SCO
        have not been such that I could disclose them, and I still can not
        discuss what I know of them.

        What's sad though, is that when someone finally get's off their
        butt's & looks at the OS, & finds problems, and is in a position to
        do something about them as far as spreading information and fixes,
        we end up with a bunch of utter crap.

        These latest 8lgm notices are utterly worthless. TOTALY AND COMPLETLY
        WORTHLESS. In fact, since the do NOT point out how or where the problems
        exist, they are ONLY hacker bait. 

        Especially in this case. SCO is primarily used as a "buisness" OS, and
        is marketed as such. (I could go on about a load of goods & bridges for
        sale but I won't rant) The problem is however that because this is the
        case, most administrator's are under that much more performance pressure
        in general than those in the research & scienctific sectors. They have
        even LESS time to worry about how to fix it.

        On the other hand, they also face the greater threat to "internal"
        hacks by "disgruntled" or dishonest employees as well. So it's a 
        double whammy. As well real data is probably the target in that case,
        not just net access or "getting r00t to sT0rE mY wArEZ" or many of the
        other more commonly blamed (read admitted to) security issues.

        In any event, the notices amounted to little turds in my mailbox,
        and I'd kindly appreciate it if I could be spared a huge list of
        problems without any fixes or adequate descriptions posted to a
        list I subscribe to that's supposed to be about _full_disclosure_.
        Or at least summarize them into *1* mailing for god's sakes. 
        Considering HOW LITTLE information was in those "notices" they could
        have easily fit in ONE notice.

        Not only that, we get treated to a cross-posting-by-the-clueless from
        USENET... This is why I unsubscribed to Firewalls...

        I don't need my packets wasted by this sort of crap. If there's some
        NEED to atone for the terrible sin of lobbying through disclosure,
        or actually embaressing a vendor to get of their butt's and fix
        security problems (Oops, I fogort about Sun... that ~does~ sort of blow
        that argument outta the water... BugOS anyone?) well you get my drift.
        In any event, I can certinly see both sides of the disclosure coin.
        But this latest crap isn't doing anyone any favors. 

        In any event, please leave non-disclosure vapor-alerts on USENET where
        they belong, and not on a disclosure oriented mailing list. The creeping
        clulessness represented by the cross-posting from there is depressing
        enough.


                Tim Scanlon


___________________________________________________________________________________
tfs () gravity science gmu edu                  My opinions are my own, obviously! 
tfs () viper signalcorp com