Date: Mon, 20 Jul 1998 23:33:28 -0400 (EDT) From: "Matthew N. Dodd" <winter@jurai.net> To: Brett Glass <brett@lariat.org> Cc: "Christopher G. Petrilli" <petrilli@dworkin.amber.org>, "Gentry A. Bieker" <gbieker@crown.NET>, security@FreeBSD.ORG Subject: Re: Why is there no info on the QPOPPER hack? Message-ID: <Pine.BSF.3.96.980720232539.10970i-100000@sasami.jurai.net> In-Reply-To: <199807202352.RAA27271@lariat.lariat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 20 Jul 1998, Brett Glass wrote: > Thousands (maybe tens or hundreds of thousands) of systems have been > potentially compromised because that code was in the FreeBSD Ports > library. Mine wasn't. Am I luck or just fast on the draw? I'm still not running qpopper because I've not had the time to pick through it. Whats your excuse? If you're not willing to stay on top of things and react when bugs are found: 1. Don't run code that you have not audited. 2. Use commercial software so you have the ability to bitch at someone who cares. > I'd find it hard to believe that such a scheme would do > anything but improve the odds that the hole would be closed. There is no magic bullet. If the auto upgrade mechanism is comprimized, the FreeBSd project now has to bear the blame for providing an insecure security service. I'd much rather they spent their time providing an OS. This is the nature of the game. Stay on top of things. > And, no, CVSup is not an answer. On production machines, you don't > want to CVSup to the latest version -- you just want to pick up > known good patches for significant problems. How do you know what the 'good' ones are? You sound like a person in need of a scram button for your network. > At 05:40 PM 7/20/98 -0400, Matthew N. Dodd wrote: > > > > >This sort of thing tends to go over poorly at security audits and with > >people who's heads are on the line when things break. > > > >I'm not willing to trust a 3rd party with that level of control of my > >system. > > > >Nobody should be that trusting. > > > >Just think of what would happen if the update process was compromised. > > > >On Mon, 20 Jul 1998, Brett Glass wrote: > >> I'd go further. I'd be willing to allow an INSTANT automatic upgrade > >> if the FreeBSD Security Manager sent a message, digitally signed with > >> a nice, long key, saying that a serious exploit might be imminent. It'd > >> be worth the risk. In the case of the QPopper hole, it would have been > >> the Right Thing. > >> > >> The feature would, of course, be optional. Not everyone would turn it on, > >> but *I* would. > > > > > > > >/* > > Matthew N. Dodd | A memory retaining a love you had for life > > winter@jurai.net | As cruel as it seems nothing ever seems to > > http://www.jurai.net/~winter | go right - FLA M 3.1:53 > >*/ > > > /* Matthew N. Dodd | A memory retaining a love you had for life winter@jurai.net | As cruel as it seems nothing ever seems to http://www.jurai.net/~winter | go right - FLA M 3.1:53 */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980720232539.10970i-100000>