On Thu, 15 Feb 2007, Joep Vesseur wrote: > Gadi, > > > [...] > > One note: although it could just as well be a bug, who says it was not a > > backdoor in the early 90's? > > > > Also, I understand this does not work on older Solaris/SunOS systems > > (anyone can verify?) > > I can. It is not present in anything before Solaris 10. > > > which adds to my personal interest in the > > possibility. I refuse to believe someone is that funny/sad. > > Not sure what you mean here... You don't believe this is a (very > unfortunate) accident? > > From where I stand (pretty close to the fire) this is pretty much > what it looks like (an extended multi-file, multi-entrance-point > change with unforseen and unnoticed interdependencies). This needs to be further discussed, as your response here has been awe-striking. The remote possibility was raised, and for several reasons: 1. It just didn't seem to be possible such a vulnerability would exist, yet it does. 2. It was a remote one (not raised by me, btw) which I wanted answers for rather than let it die under the usual flames. 3. It was raised, we needed to discuss it. Sun has been completely visible and did full-disclosure on the vulnerability, how it got there, etc. I have to tip my hat to you and thank you for your help with this. I believe the entire industry should thank you, and follow your lead. This is the first case where I have seen a vendor respond in such fashion. It is to be commended yet again. You have proven what being open with the community can achieve. This is a serious F up on the side of Sun. Everyone makes mistakes and incidents will happen no matter what. What matters here is how you responded to the incident when it did happen. Gadi. > > Joep >
