Publicizing Security Issues

[Danny]

In article <115 at mot.UUCP> al at mot.UUCP (Al Filipski) writes:
>
>                       ...For one thing, a problem stands a much
>better chance of being fixed if it is well-known.  Second, with
>the proliferation of UNIX, there are a great many inexperienced
>administrators out there who are sitting ducks....

    Although I do agree that well-known problems stand a better
chance of being fixed, those of us with binary-only UN*X can't
fix 'em even if we wanted to (and getting the supplier to do
so is like scraping gums!).

    I think that publishing "10 ways to become root" would leave
many systems vulnerable for at least a couple of months: the time
it takes for Software Change Requests to be acted upon and the tape
of the offending program(s) (kernal?) returned.

    The policy used in the past on this net is to send the description
of the security hole(s) only to "root" by mail.
-- 
				Daniel S. Cox
				({gatech|akgua}!itm!danny)