[11721] in bugtraq
Re: Compaq CIM UG Overwrites Legal Notice
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@VT.EDU)
Tue Sep 7 17:45:06 1999
Message-Id: <199909050728.d857Svl18976@black-ice.cc.vt.edu>
Date: Sun, 5 Sep 1999 03:28:53 -0400
Reply-To: Valdis.Kletnieks@VT.EDU
From: Valdis.Kletnieks@VT.EDU
X-To: "Free, Bob" <RWF4@PGE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Wed, 01 Sep 1999 18:07:32 PDT."
<2DBFCBE6D1DAD11191E300805F577D120103EDE5@exchange104.comp.pge.com>
On Wed, 01 Sep 1999 18:07:32 PDT, "Free, Bob" <RWF4@PGE.COM> said:
> reboot. When the installation is completed after rebooting, these keys are
> cleared and your legal notice is gone.
Having installations that blow away files *intended* for user configuration
is always Very Bad Juju.
> If your security policies are reliant on legal notices this is not a good
> thing. (...)
OK.. I admit I'm reading it at 3AM, and it took 3 retries before I parsed
this sentence the way you intended. I kept reading it as "this" being
the reliance, not the bug. It took 2 more reads before it sank in that
parsed either way the sentence was still probably true. Having legal
notices dissapear is a Bad Thing, and having policies that require them
may be a Bad Thing too...
Can anybody out there cite case law or statute where having a legal
notice actually makes a difference, in the case of a scriptz kiddy
exploit that rarely, if ever, sees a legal notice? I'm aware of
the old "welcome to VMS" issue regarding the lack of a notice when the
user logged in normally. This is the opposite - entering a system
via a means never intended to have a legal notice. Could a login
banner be self-defeating, if a hacker doesn't login?
In any case, if your security policies are *reliant* on notices, as
opposed to including them as one *small* part of a total solution,
you're probably already 0wned... ;)
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech
