Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994

[neil () legless demon co uk (Neil Woods)]

Tim Scanlon <tfs () vampire science gmu edu> uttered:

>       These holes in SCO have been around since 92 that I'm aware of...
>
>       Unfortunatly the circumstances in which I've discovered holes in SCO
>       have not been such that I could disclose them, and I still can not
>       discuss what I know of them.

Thats obscurity, get off this list.  You could have posted them anonymously.

>       What's sad though, is that when someone finally get's off their
>       butt's & looks at the OS, & finds problems, and is in a position to
>       do something about them as far as spreading information and fixes,
>       we end up with a bunch of utter crap.
>
>       These latest 8lgm notices are utterly worthless. TOTALY AND COMPLETLY
>       WORTHLESS. In fact, since the do NOT point out how or where the problems
>       exist, they are ONLY hacker bait. 

There's just as many people who vehermently object to having full disclosure
as well.  If you don't like our service, stop requesting information from
our fileserver.

>       Especially in this case. SCO is primarily used as a "buisness" OS, and
>       is marketed as such. (I could go on about a load of goods & bridges for
>       sale but I won't rant) The problem is however that because this is the
>       case, most administrator's are under that much more performance pressure
>       in general than those in the research & scienctific sectors. They have
>       even LESS time to worry about how to fix it.

I don't accept that, you have no proof of that.

>       On the other hand, they also face the greater threat to "internal"
>       hacks by "disgruntled" or dishonest employees as well. So it's a 
>       double whammy. As well real data is probably the target in that case,
>       not just net access or "getting r00t to sT0rE mY wArEZ" or many of the
>       other more commonly blamed (read admitted to) security issues.

You can't stop people with physical access gaining 'r00t'.

>       In any event, the notices amounted to little turds in my mailbox,
>       and I'd kindly appreciate it if I could be spared a huge list of
>       problems without any fixes or adequate descriptions posted to a
>       list I subscribe to that's supposed to be about _full_disclosure_.
>       Or at least summarize them into *1* mailing for god's sakes. 
>       Considering HOW LITTLE information was in those "notices" they could
>       have easily fit in ONE notice.

Stop requesting the little turds from our fileserver then.  To save you
getting our crap, we won't be posting advisories to bugtraq in the future.

>       Not only that, we get treated to a cross-posting-by-the-clueless from
>       USENET... This is why I unsubscribed to Firewalls...
>
>       I don't need my packets wasted by this sort of crap. If there's some
>       NEED to atone for the terrible sin of lobbying through disclosure,
>       or actually embaressing a vendor to get of their butt's and fix
>       security problems (Oops, I fogort about Sun... that ~does~ sort of blow
>       that argument outta the water... BugOS anyone?) well you get my drift.
>       In any event, I can certinly see both sides of the disclosure coin.
>       But this latest crap isn't doing anyone any favors. 

Sorry you feel that way, I won't lose any sleep over your worthless comments
Tim.

>       In any event, please leave non-disclosure vapor-alerts on USENET where
>       they belong, and not on a disclosure oriented mailing list. The creeping
>       clulessness represented by the cross-posting from there is depressing
>       enough.

You're not related to Pat are you?

Cheers,

Neil

-- 
Let the Mystery Be, So Watcha Want, Longing In Their Hearts, Hate My Way,
M-Bike, Safari, Uncle June and Aunt Kiyoti, Daisy Dead Petals, Tuff Gnarl.

     ...like a badger with an afro throwing sparklers at the Pope...