Date: Mon, 20 Jul 1998 23:37:27 -0400 (EDT) From: "Matthew N. Dodd" <winter@jurai.net> To: Brett Glass <brett@lariat.org> Cc: Jon Hamilton <hamilton@pobox.com>, "Christopher G. Petrilli" <petrilli@dworkin.amber.org>, "Gentry A. Bieker" <gbieker@crown.NET>, security@FreeBSD.ORG Subject: Re: Why is there no info on the QPOPPER hack? Message-ID: <Pine.BSF.3.96.980720233609.10970j-100000@sasami.jurai.net> In-Reply-To: <199807210311.VAA00475@lariat.lariat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Ok, you convinced me. When are you going to have this service operational? How much are you going to charge for it? What sort of guarantee (maney back? plus?) are you going to give me? Who is your insurance carrier? (you must be getting great rates!) Thanks. On Mon, 20 Jul 1998, Brett Glass wrote: > At 09:40 PM 7/20/98 -0500, Jon Hamilton wrote: > > >I still think you're just ranting. What does it mean to "have been > >potentially compromised" anyway? > > It means that many of these systems are still just WAITING to be broken > into. There could be a lot more damage done -- we're talking millions > of dollars' worth. > > >Maybe you've been working too long and too hard cleaning up after your > >breakin. CVSup would work fine for what you're talking about, you'd just > >have to have a different tag which only got "known good patches for > >significant problems". Of course, this would still have the problem of > >being a "pull" model, so you'd have to check "often enough". > > Which means, given the typical e-mail volume an administrator must handle, > many people would not "pull" in time. I'd rather have a "push" model with the > ability to back out or opt out. > > >You'd also have to be damn sure you trusted the person doing the checkins, > > Anyone who runs FreeBSD already places a lot of trust in the maintainers. > > >and > >you'd have to be sure that you were in fact talking to the server you > >decided to trust. > > Easily accomplished via cryptography. > > >And you'd have to be certain that you trusted the patch > >as applied, both that it solved the problem it was meant to solve, and > >that it didn't introduce some other bogosity. Most of these should be > >red flags shouting out that you don't really want to automate this > >process, but I don't imagine that'll slow you down much. > > I would rather automate it than see delays, break-ins, and duplicated > effort. > > --Brett Glass > /* Matthew N. Dodd | A memory retaining a love you had for life winter@jurai.net | As cruel as it seems nothing ever seems to http://www.jurai.net/~winter | go right - FLA M 3.1:53 */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980720233609.10970j-100000>