*BSD News Article 47637


Return to BSD News archive

Path: sserve!newshost.anu.edu.au!harbinger.cc.monash.edu.au!simtel!lll-winken.llnl.gov!hookup!news.mathworks.com!uhog.mit.edu!nntp.club.cc.cmu.edu!cantaloupe.srv.cs.cmu.edu!das-news2.harvard.edu!oitnews.harvard.edu!newsfeed.rice.edu!news.sesqui.net!uuneo.neosoft.com!Starbase.NeoSoft.COM!ctoriger
From: ctoriger@starbase.neosoft.com (Chris Origer)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: FreeBSD mention in RISKS.digest
Date: 31 Jul 1995 00:32:34 GMT
Organization: NeoSoft Internet Services   +1 713 968 5800
Lines: 64
Message-ID: <3vh8b2$g48@uuneo.neosoft.com>
References: <3vgh3q$o21@anshar.shadow.net>
NNTP-Posting-Host: starbase.neosoft.com
X-Newsreader: TIN [version 1.2 PL2]

Don Whiteside (dwhite@anshar.shadow.net) wrote:
: I don't know how many of you read comp.risks or saw the original article 
: this blurb mentions, but I thought it was worth cc:ing here.

: I've trimmed all the other bits out and left in just some header and the 
: article in question from the RISKS digest v20.17.

: Newsgroups: comp.risks
: Subject: RISKS DIGEST 17.20
: Message-ID: <CMM.0.90.1.806794003.risks@chiron.csl.sri.com>
: Date: 26 Jul 95 21:26:43 GMT

: RISKS-LIST: Risks-Forum Digest  Weds 26 July 1995  Volume 17 : Issue 20

:    FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
:    ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

: Date: Tue, 27 Jun 1995 11:34:51 -0400
: From: jepstein@inetml.cordant.com (Jeremy Epstein -C2 PROJECT)
: Subject: Risks of misreporting risks?


: The Washington Post Monday business section has a regular "shorts"
: called "Digital Flubs", in which they report on interesting goofs.
: Many of them appear to be culled (without attribution) from RISKS.

: The June 26 edition reads as follows:
: 	A piece of security software widely used on computer networks has
: 	a hole in it.  [CERT] said it has distributed instructions on how
: 	to correct the problem in FreeBSD, a program created by a software
: 	engineer in the Netherlands.  In some circumstances, the hole lets
: 	people tapping into a computer see and alter information that should
: 	be off-limits to them.  FreeBSD is an "enhancement" to S/Key, a
: 	program that controls password access to networked computers.
: 	S/Key itself does not have the problem.

: I'm not sure what this is actually trying to say, but whatever it is, it's
: wrong.  FreeBSD is an operating system, not security software or an
: enhancement to S/Key.  FreeBSD wasn't developed by an engineer in the
: Netherlands, although it's possible that S/Key was ported to FreeBSD by some
: such person.

: The risk is that someone might read this, think it actually describes
: a weakness, and mistakenly take action (or not take action) without
: knowing that the article is confused.

: ------------------------------

: --
: =========================================================================
:  Donald Alan Whiteside     MDCC Wage Slave     School of Computer Science
:          Official Usenet Dork for the week of Jan 9-13, 1995
:       GCS d-- -p+(---) l u+(-) e+ m+ s !n h f g+ w+ t+(++) r- y++ 
:           "The universe is not in the habit of giving up 
:        explanations to cursory examinations" - Garth Thornton 
: =========================================================================
Actually they may be talking about 'skey' I recall about 6 months ago the
author of 'skey' saying that some releases were buggy in that they contained
some exploitable holes. This was not specific to any one platform that 'skey'
can be used on, it affected them all. This is all from memory, if anyone has
more specific info please followup.

Chris