The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #168 [Our act of "doing nothing"] (1 message, 1684 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/168.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

From: David Herron E-Mail Hack <david@ms.uky.edu>
To: phage
Date: Tue 15:26:05 08/11/1988 EST
Subject: Our act of "doing nothing"
References: [Thread Prev: 166] [Thread Next: 169] [Message Prev: 167] [Message Next: 170]

Much as the discussion over the bugs themselves have been interesting, as
has the discussion over general strategies has been interesting, the reaction
here I also find to be interesting.

There's an interesting debate which could happen over how much attention
should be paid to bug fixes from the outside.  How much attention should
be paid to reports of security problems from the outside.  ESPECIALLY in
a situation where security may have been breached making mail&news unreliable
sources of information.  Not to mention that mail&news are inherently
unreliable in the first place, it's too damn easy to forge either one.

A couple of days ago someone asked what people were doing.  I responded
with something along the lines "I'm embarrassed to say -- 'Nothing'" and
went on to give some reasons.  The most important reason being some, what
I thought at the time, bull-headedness by one of my cohorts.  He wasn't
allowing me to install fixes.  When I told you guys some offered to do
something to show him that the problems were real, like send us logfiles
showing the problem happening or to break into our system and send us some
mail from root.  And in fact at least one person did break in, apparently
from Purdue, and did send us some mail and leave us a file in the home
directory of one of our machines.  Someone else may have broken in and
been snooping around, I am not sure...

The reality is closer to misunderstanding rather than anything else.
Contributing factors are that our staff is seriously overworked, and
underfunded, and has been for a very long time.  Another factor is that
I and my cohort have very differing attitudes over how to run a
system.  I like to be on the cutting edge and keep things up to date.
Brian prefers to be slightly stodgey and to run things which are
"stable", and that other people have proved work.  An example is how
we've handled the operating systems, back when I was running the whole
show (and unfortunately *was* the whole show) we switched over to
the BRL release of 4.2BSD, and had all these nice wonderful features.
Now that Brian is running the show (OS-wise that is) we're running
Ultrix 2.2.  We've got some features he thinks are nice&wonderful,
but I'm not so sure...

To put roles onto the situation ... I'm the software guy and Brian is
the security guy.  The software guy implicitly trusts what he does, and
while he usually does the right thing will sometimes goof up.  The
security guy has to be very paranoid, like Brian was being, and
question the possibility (even) that the postings from Berkeley might
have been forged.  (Unfortunately Brian is also partly a software guy
and is probably not paranoid enough about his own stuff..)

What do other people do internally to balance the paranoia side
of the business against the get-the-job-done side?
--
<-- David Herron; an MMDF guy                              <david@ms.uky.edu>
<-- ska: David le casse\*'      {rutgers,uunet}!ukma!david, david@UKMA.BITNET
<--
<-- Controlled anarchy -- the essence of the net.

END OF DOCUMENT