From owner-freebsd-security  Mon Jul 20 20:38:10 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id UAA00805
          for freebsd-security-outgoing; Mon, 20 Jul 1998 20:38:10 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from sasami.jurai.net (winter@sasami.jurai.net [207.153.65.3])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA00737
          for <security@FreeBSD.ORG>; Mon, 20 Jul 1998 20:37:56 -0700 (PDT)
          (envelope-from winter@jurai.net)
Received: from localhost (winter@localhost)
	by sasami.jurai.net (8.8.8/8.8.7) with SMTP id XAA25346;
	Mon, 20 Jul 1998 23:37:27 -0400 (EDT)
Date: Mon, 20 Jul 1998 23:37:27 -0400 (EDT)
From: "Matthew N. Dodd" <winter@jurai.net>
To: Brett Glass <brett@lariat.org>
cc: Jon Hamilton <hamilton@pobox.com>,
        "Christopher G. Petrilli" <petrilli@dworkin.amber.org>,
        "Gentry A. Bieker" <gbieker@crown.NET>, security@FreeBSD.ORG
Subject: Re: Why is there no info on the QPOPPER hack? 
In-Reply-To: <199807210311.VAA00475@lariat.lariat.org>
Message-ID: <Pine.BSF.3.96.980720233609.10970j-100000@sasami.jurai.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


Ok, you convinced me.

When are you going to have this service operational?

How much are you going to charge for it?

What sort of guarantee (maney back? plus?) are you going to give me?

Who is your insurance carrier? (you must be getting great rates!)

Thanks.

On Mon, 20 Jul 1998, Brett Glass wrote:

> At 09:40 PM 7/20/98 -0500, Jon Hamilton wrote:
>  
> >I still think you're just ranting.  What does it mean to "have been 
> >potentially compromised" anyway?  
> 
> It means that many of these systems are still just WAITING to be broken
> into. There could be a lot more damage done -- we're talking millions
> of dollars' worth.
> 
> >Maybe you've been working too long and too hard cleaning up after your
> >breakin.  CVSup would work fine for what you're talking about, you'd just
> >have to have a different tag which only got "known good patches for
> >significant problems".  Of course, this would still have the problem of
> >being a "pull" model, so you'd have to check "often enough".
> 
> Which means, given the typical e-mail volume an administrator must handle,
> many people would not "pull" in time. I'd rather have a "push" model with the
> ability to back out or opt out.
> 
> >You'd also have to be damn sure you trusted the person doing the checkins, 
> 
> Anyone who runs FreeBSD already places a lot of trust in the maintainers.
> 
> >and
> >you'd have to be sure that you were in fact talking to the server you
> >decided to trust.
> 
> Easily accomplished via cryptography.
> 
> >And you'd have to be certain that you trusted the patch
> >as applied, both that it solved the problem it was meant to solve, and
> >that it didn't introduce some other bogosity.  Most of these should be
> >red flags shouting out that you don't really want to automate this 
> >process, but I don't imagine that'll slow you down much.
> 
> I would rather automate it than see delays, break-ins, and duplicated
> effort.
> 
> --Brett Glass
> 

/* 
   Matthew N. Dodd		| A memory retaining a love you had for life	
   winter@jurai.net		| As cruel as it seems nothing ever seems to
   http://www.jurai.net/~winter | go right - FLA M 3.1:53	
*/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message