The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #090 [Re: virus litigation] (1 message, 731 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/090.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

From: Piet Beertema <piet@cwi.nl>
To: phage
Date: Mon 06:42:49 07/11/1988 EST
Subject: Re: virus litigation
References: [Thread Prev: 078] [Thread Next: 080] [Message Prev: 089] [Message Next: 091]

	1) This is a problem with an implementation of UNIX. It is
	   *not* an Internet problem.
True, but UNIX implementations form a large part
of the Internet.

	2) The proper way to report security problems is to contact
	   the appropriate authorities, not to exploit the holes.
Ummm, yes, but this raises a lot of other questions:
- Who are the "appropriate authorities"?
- Do you really think it would help in all
  cases to report it?
- It may take very long before the authorities
  forward it to other/higher authorities. Then
  shouldn't one report directly to the "final
  authorities"? Who are they?
- Until fixes and fixed objects have been spread
  all over the place, systems can still be under
  attack, if yet one other fancy guy finds the
  hole and *does* exploit it. Would you wait till
  that happens?
  The sheer impact of this whole thing has caused
  rapid action, fixes etc. That wouldn't have
  happened if the security problem was only reported
  to the "appropriate authorities".


	Piet

END OF DOCUMENT