From owner-freebsd-security@FreeBSD.ORG Mon May 16 08:05:16 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EEEDD16A4CE for ; Mon, 16 May 2005 08:05:15 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id 984F443D55 for ; Mon, 16 May 2005 08:05:15 +0000 (GMT) (envelope-from d4rkstorm@gmail.com) Received: by rproxy.gmail.com with SMTP id i8so471132rne for ; Mon, 16 May 2005 01:05:15 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=g1zOojRAlDA1EBF4HaseEOxGxTLb6n+E+KIF2LId57lpva3X4DU30vQi1q+eAM0NmIQu0c7SBArNXLVDYNgzczHrP1u3Q98RoN53ZuNTm7zSpZG2OLXequaVtgx18m6MjNcy3CzaUC2BZLSEIsScCiEKNTL6dEfdfdCiFBXX4NQ= Received: by 10.39.2.21 with SMTP id e21mr2170152rni; Mon, 16 May 2005 01:05:15 -0700 (PDT) Received: by 10.38.101.18 with HTTP; Mon, 16 May 2005 01:05:13 -0700 (PDT) Message-ID: <245f0df105051601053ecacb0e@mail.gmail.com> Date: Mon, 16 May 2005 18:05:13 +1000 From: "Drew B. [Security Researcher and Analyst]." To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: RE: oh foobar! X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Drew B. \[Security Researcher and Analyst\]." List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 May 2005 08:05:16 -0000 Hello list , just one thought, If you had a 'package verify" function , wich automatically installs itself and updates itself on any major update (a builtin eatire,posible for a future build), then that alone would eliminate multiple packages, of wich sometimes they have bad components left behind. I have seen a similar idea in the ports/vulnerability-test-port , I think this is a root problem , if you disabled ALL users (well atleast make a stern admin warning, and log the install that was proceeded with for root users to PoC etc , to trackback or monitor) , then you cant get any multiple installs, unless yo are using OLD cds, In wich case, as I am uninformed in fBSD it seems, (but then i think we are all misinformed, the users that is,that fbsd is extremely secure and well to manage,hence making an admin/user think the box is almost indestructible,it is impossible with Opensource,and now it is being torn apart,as duely all things do in time i guess). There just seems to me,that i am seeing alot of fbsd-related exploitation,unlike 10 or so years ago,when yes, unix was comprisable, but usually by a brutefrce on a 'god' pass ;). i am now going to remain idle , and am even leaving the online world, to concentrate on more iportant things,like getting a Job :). So good luck to you all, i will still remain here, i just will not be very Public anymore, it seems i may be upsetting the higher echelons of fBsd, i can see my firewall ya know ;). And i dislike what I see, when all i really did, was report a problem I had myself, and someone I know still has. I am here to only have that addresses, watching the rest of this list function has shown me how weak your security is. Yea sure you might have a nametag (Just like "expert" ;) , but nowdays that dont mean jackshit, and if my machines are going to be annoyed about it, i would rather just d/c and move my stuff. You are the O/S socalled bosses and so@freebsd.org , well, i dont recall EVER seeing it, so i must be just hopeless ey! Anyhow I mean o mis or mal-intent, never did..I warned I was looking into something in my first post here, then received criticism in public from @frebsd.org .. pfft.. ridiculous, out of ALL the words i wrote, all that the person could see was 'expert' ... wow.. congrats! You picked a silly signature error for me. As i am saying.. basically watching the way this is happening, after posting a 'request' has made me sicken of ever posting any problems ever again to you. i find the unprofessionalism , about a silly avaar, ridiculous considering one person managed to say that, and 10 others in Private (yes PM! amazing thing that) , they had atlest p[ositive things to say. yes people make accidents, i have a busy life, NOW not so :) , but i just did not know of a security list running, and then another security officer, I assumed the so@ would be the security-list owner, so considering I have apaprently been 'public' about something that is legal, well this is how i am responding, and i will know that if you treat people this way, toehrs also HAVE and will continue, to leave. Adios amigos (those that actually read things ;) Regards, Drew. -------------------------------------------------------------------- Drew, the antichrist who reported a flaw.