Date: Mon, 20 Jul 1998 21:11:01 -0600 From: Brett Glass <brett@lariat.org> To: Jon Hamilton <hamilton@pobox.com> Cc: "Matthew N. Dodd" <winter@jurai.net>, "Christopher G. Petrilli" <petrilli@dworkin.amber.org>, "Gentry A. Bieker" <gbieker@crown.NET>, security@FreeBSD.ORG Subject: Re: Why is there no info on the QPOPPER hack? Message-ID: <199807210311.VAA00475@lariat.lariat.org> In-Reply-To: <199807210238.UAA29812@lariat.lariat.org> References: <Your message of "Mon, 20 Jul 1998 17:52:20 MDT." <199807202352.RAA27271@lariat.lariat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
At 09:40 PM 7/20/98 -0500, Jon Hamilton wrote: >I still think you're just ranting. What does it mean to "have been >potentially compromised" anyway? It means that many of these systems are still just WAITING to be broken into. There could be a lot more damage done -- we're talking millions of dollars' worth. >Maybe you've been working too long and too hard cleaning up after your >breakin. CVSup would work fine for what you're talking about, you'd just >have to have a different tag which only got "known good patches for >significant problems". Of course, this would still have the problem of >being a "pull" model, so you'd have to check "often enough". Which means, given the typical e-mail volume an administrator must handle, many people would not "pull" in time. I'd rather have a "push" model with the ability to back out or opt out. >You'd also have to be damn sure you trusted the person doing the checkins, Anyone who runs FreeBSD already places a lot of trust in the maintainers. >and >you'd have to be sure that you were in fact talking to the server you >decided to trust. Easily accomplished via cryptography. >And you'd have to be certain that you trusted the patch >as applied, both that it solved the problem it was meant to solve, and >that it didn't introduce some other bogosity. Most of these should be >red flags shouting out that you don't really want to automate this >process, but I don't imagine that'll slow you down much. I would rather automate it than see delays, break-ins, and duplicated effort. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807210311.VAA00475>