Date: Tue, 21 Jul 1998 10:47:23 +1000 (EST) From: Nicholas Charles Brawn <ncb05@uow.edu.au> To: security@FreeBSD.ORG Subject: Re: Why is there no info on the QPOPPER hack? Message-ID: <Pine.SOL.3.96.980721103349.15221C-100000@banshee.cs.uow.edu.au> In-Reply-To: <199807201828.MAA21514@lariat.lariat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 20 Jul 1998, Brett Glass wrote: > I'd go further. I'd be willing to allow an INSTANT automatic upgrade > if the FreeBSD Security Manager sent a message, digitally signed with > a nice, long key, saying that a serious exploit might be imminent. It'd > be worth the risk. In the case of the QPopper hole, it would have been > the Right Thing. > > The feature would, of course, be optional. Not everyone would turn it on, > but *I* would. Again, this would be merely a stopgap measure. Also, patches need to be adequately tested before applying. As one who watched the shenanigans on bugtraq following the hype about qpopper, I saw numerous patches released without adequate testing or further auditing of qpopper source. The result was that several patches actually prevented qpopper from performing it's task, and in some cases didn't fix all the holes identified. In short, the best defense against attacks is a good offense. You need a good administrator who understands security issues, keeps up to date with advisories and open source security lists, and knows your systems and networks like the back of their hand. Automatic updates of software may help in some circumstances, but it doesn't beat having an admin on hand who knows what their doing. > --Brett GLass Just my $0.02 :) Nick -- Email: ncb05@uow.edu.au - http://rabble.uow.edu.au/~nick Key fingerprint = DE 30 33 D3 16 91 C8 8D A7 F8 70 03 B7 77 1A 2A "When in doubt, ask someone wiser than yourself..." -unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SOL.3.96.980721103349.15221C-100000>