> >> I think the problem we're having here is that you're saying "Hi! We're a
> >> programming society dedicated to learning and dissemination of programming
> >> knowledge. By the way, we just fixed something to make our web server more
> >> secure, but we're not going to tell you why or how because then you might
> >> learn something. Have a nice day."
> >
> >You are entitled to your incorrect opinion. I support the facilitating
> >of learning. I do not support the dissemination of information about techniques
> >for comprimising security measures.
>
> What you do or do not personally support doesn't matter a spitwad to me.
> You have a job to do as part of the executive of a University society.
>
> Besides which, if people who are actually involved with important computer
> security issues felt as you do, you wouldn't have found out either. And
> then where would you be?
I totally agree with Ryan here - if no one tells YOU about security holes, how
many would you actually find and fix? 1 in a hundred thousand? On a good day,
maybe. Are you suggesting that the methods used by the Internet WORM should
not have been published? Oh yes, we should just tell sys admins to apply this
patch, and not worry about what was wrong in the first place. Great! Sure the
situation is a bit different....
> >> I think it's more that people don't like the ex cathedra decisions which
> >
> >I don't understand the term, but I assume that you are referring to
That's okay... we can't all be epistemophiliacs.
> >> Wasn't ProgSoc started so people could share Unix hacking tips?
> >
> >In the sense of telling people how to compromise security measures?
That's exactly how people are normally notified about such security holes,
right?
I realise that a little information is a dangerous thing, and in this
situation, any more information could be even worse. However, we're
ProgSoc - this is what we're all about, isn't it? If it isn't, then what
the hell do we do? Get five of the membership to acquire knowledge, keeping
the others ignorant in the process??
What was the decision regarding the two users who were known to have
exploited this security hole on ftoomsh? Were they warned? Accounts locked?
I don't want names or public lynchings.
It is the executive's responsility to keep its membership informed.
Peter
------------------------------------------------------------------------
Peter Meric pmeric@nospam.socs.uts.edu.au
pmeric@nospam.progsoc.uts.edu.au
pmeric@nospam.acs.itd.uts.edu.au
"Stupidity cannot be cured with money, or through education, or by
legislation. Stupidity is not a sin, the victim can't help being
stupid. But stupidity is the only universal capital crime; the sentence
is death, there is no appeal, and execution is carried out
automatically and without pity."
Robert Heinlein