[330] in bugtraq
Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994
daemon@ATHENA.MIT.EDU (Tim Scanlon)
Sat Dec 3 20:15:27 1994
From: Tim Scanlon <tfs@vampire.science.gmu.edu>
To: bugtraq@fc.net
Date: Tue, 29 Nov 1994 23:57:53 -0500 (EST)
In-Reply-To: <9411290116.AA27210@rwing.UUCP> from "Pat Myrto" at Nov 28, 94 05:16:00 pm
These holes in SCO have been around since 92 that I'm aware of...
Unfortunatly the circumstances in which I've discovered holes in SCO
have not been such that I could disclose them, and I still can not
discuss what I know of them.
What's sad though, is that when someone finally get's off their
butt's & looks at the OS, & finds problems, and is in a position to
do something about them as far as spreading information and fixes,
we end up with a bunch of utter crap.
These latest 8lgm notices are utterly worthless. TOTALY AND COMPLETLY
WORTHLESS. In fact, since the do NOT point out how or where the problems
exist, they are ONLY hacker bait.
Especially in this case. SCO is primarily used as a "buisness" OS, and
is marketed as such. (I could go on about a load of goods & bridges for
sale but I won't rant) The problem is however that because this is the
case, most administrator's are under that much more performance pressure
in general than those in the research & scienctific sectors. They have
even LESS time to worry about how to fix it.
On the other hand, they also face the greater threat to "internal"
hacks by "disgruntled" or dishonest employees as well. So it's a
double whammy. As well real data is probably the target in that case,
not just net access or "getting r00t to sT0rE mY wArEZ" or many of the
other more commonly blamed (read admitted to) security issues.
In any event, the notices amounted to little turds in my mailbox,
and I'd kindly appreciate it if I could be spared a huge list of
problems without any fixes or adequate descriptions posted to a
list I subscribe to that's supposed to be about _full_disclosure_.
Or at least summarize them into *1* mailing for god's sakes.
Considering HOW LITTLE information was in those "notices" they could
have easily fit in ONE notice.
Not only that, we get treated to a cross-posting-by-the-clueless from
USENET... This is why I unsubscribed to Firewalls...
I don't need my packets wasted by this sort of crap. If there's some
NEED to atone for the terrible sin of lobbying through disclosure,
or actually embaressing a vendor to get of their butt's and fix
security problems (Oops, I fogort about Sun... that ~does~ sort of blow
that argument outta the water... BugOS anyone?) well you get my drift.
In any event, I can certinly see both sides of the disclosure coin.
But this latest crap isn't doing anyone any favors.
In any event, please leave non-disclosure vapor-alerts on USENET where
they belong, and not on a disclosure oriented mailing list. The creeping
clulessness represented by the cross-posting from there is depressing
enough.
Tim Scanlon
___________________________________________________________________________________
tfs@gravity.science.gmu.edu My opinions are my own, obviously!
tfs@viper.signalcorp.com
