Re: security holes, notification protocols, and a clarification

[elmer_j () UT EE (Elmer Joandi)]

Yep. I am sorry too, for all the people who got damaged within those 17
hours.
But I still hold the opinion that my path was correct.
Talking to people around me I found that my way of thinking is hard to
follow. That is why I want now to make clear points on that.

1. The hole was SUPER-EASY to find. Any responsible sysadmin looks time by
time for processes listening on ports. And first telnet into that port
(with all of its verbosity) made the problem very clean.
Now (major): how did it came that nobody in world found it within 3 months?
And (minor): nobody in Cygnus found it in stages of deep software testing
Cygnus products are hopefully going trough.
There is NO reasonable anwser for me (apart from ones in sci-fi or global
paranoia domain). I think it is wider problem than just a security hole in
a program.
If anyone could explain, I'd be thankful. Otherways the answer is: "kill
the internet" or similar out of the band one.

2. Cygnus is in central position in software industry and egcs+gcc users
base is a way greater than SN users base.

3. I had my very own right to be paranoid. I used it and I will use it in
future in similar cases.

Peace, anyway.

Elmer Joandi
AS Cybernetica, http://www.cyber.ee/
http://www.ut.ee/~elmer_j/