LISTSERV - HP3000-L Archives

HP3000-L Archives

June 2000, Week 5

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L June 2000, Week 5

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	HP Security Bulletin on TurboIMAGE DBUTIL: FOLLOW-UP
From:	Sletten Kenneth W KPWA <[log in to unmask]>
Reply To:	Sletten Kenneth W KPWA <[log in to unmask]>
Date:	Thu, 29 Jun 2000 13:13:38 -0700
Content-Type:	text/plain
Parts/Attachments:	text/plain (59 lines)

Hello again All 3000-L:

Since my forward last night of the HP Security Bulletin on the
recently discovered security vulnerability in TurboIMAGE
DBUTIL, I have already gotten a couple direct email requests
from individual users that essentially ask:

> > PROBLEM:  Given a specific setup, users with ordinary
> > database privileges can gain additional privileges.>>
>
> So how would a user do this?

One of the people who asked I know personally as one of the
"good guys" (if he wasn't being spoofed by someone on the
Dark Side (unlikely I expect, but not impossible) );  the other
name I don't recall ever seeing on 3000-L in all the years I have
been actively reading this list.

This is one of those cases where I think "security by obscurity"
is actually quite good;  and as a corollary if precise details on
how to do it and the ramifications thereof are published to the
world, the chances that malicious external hackers or
disgruntled internal employees will try and exploit it go up by
maybe two orders of magnitude.

Lest some think I'm being overly paranoid, I would refer you to
some of the Internet security experts (I'm not one of them), who
could I expect tell many if not most of us scary bedtime stories
about ingenious hackers and crackers;  who do automated
searches of well-known public discussion lists for key words
like "security", etc....  and if they find something "interesting",
immediately apply all their mental and machinery resources to
try and exploit it.

Therefore:  I've decided that to avoid having to decide who to
tell and who not to tell if I get a bunch of private email requests
for all the details (and how to "validate" who is asking), I'm going
to respectfully refer all questions on details to the HP RC.  That
way HP can decide how much of the beans they want to spill to
those who have support contracts, if any..  No offense intended
and I hope none taken by everyone who is quite legitimately
wondering;  Guess for right now I'll just try and say "trust me":
It's something I would never have thought of.  HP temporary
work-around will cover it;  and hopefully the patch will be up
very soon (maybe a few days).  Then people can get the patch
and the whole thing will be moot....  I would go so far as to ask
anyone who might independently discover this weakness to
also refrain from publishing any details on any public list (see
again the HP security bulletin).

If anybody is unhappy or disagrees with any of my above, let
me know....  But I'm of the opinion that since an immediate
workaround is available and a permanent fix will be up "soon",
broadcasting the exact details of how to exploit this would be a
bad idea;  and would *increase* the threat to many systems....

Ken Sletten
SIGIMAGE Chair

ATOM RSS1 RSS2

RAVEN.UTC.EDU