On Wed, 01 Sep 1999 18:07:32 PDT, "Free, Bob" <[EMAIL PROTECTED]> said:
> reboot. When the installation is completed after rebooting, these keys are
> cleared and your legal notice is gone.
Having installations that blow away files *intended* for user configuration
is always Very Bad Juju.
> If your security policies are reliant on legal notices this is not a good
> thing. (...)
OK.. I admit I'm reading it at 3AM, and it took 3 retries before I parsed
this sentence the way you intended. I kept reading it as "this" being
the reliance, not the bug. It took 2 more reads before it sank in that
parsed either way the sentence was still probably true. Having legal
notices dissapear is a Bad Thing, and having policies that require them
may be a Bad Thing too...
Can anybody out there cite case law or statute where having a legal
notice actually makes a difference, in the case of a scriptz kiddy
exploit that rarely, if ever, sees a legal notice? I'm aware of
the old "welcome to VMS" issue regarding the lack of a notice when the
user logged in normally. This is the opposite - entering a system
via a means never intended to have a legal notice. Could a login
banner be self-defeating, if a hacker doesn't login?
In any case, if your security policies are *reliant* on notices, as
opposed to including them as one *small* part of a total solution,
you're probably already 0wned... ;)
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech
