From owner-freebsd-security Mon Jul 20 21:02:36 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA05490 for freebsd-security-outgoing; Mon, 20 Jul 1998 21:02:36 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from zeus.theinternet.com.au (akm@zeus.theinternet.com.au [203.34.176.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA05432 for ; Mon, 20 Jul 1998 21:02:24 -0700 (PDT) (envelope-from akm@zeus.theinternet.com.au) Received: (from akm@localhost) by zeus.theinternet.com.au (8.8.7/8.8.7) id NAA28466; Tue, 21 Jul 1998 13:58:18 GMT (envelope-from akm) From: Andrew Kenneth Milton Message-Id: <199807211358.NAA28466@zeus.theinternet.com.au> Subject: Re: Why is there no info on the QPOPPER hack? In-Reply-To: <199807210257.UAA00240@lariat.lariat.org> from Brett Glass at "Jul 20, 98 08:57:03 pm" To: brett@lariat.org (Brett Glass) Date: Tue, 21 Jul 1998 13:58:18 +0000 (GMT) Cc: security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org +----[ Brett Glass ]--------------------------------------------- | At 10:41 AM 7/21/98 +0000, Andrew Kenneth Milton wrote: | | >So fix it. | > | >If you can't fix it, wait for it to be fixed. | >If you can't wait for it to be fixed either change to a different | >vendor implementation or shut down. | | Possibly. But in this case, by the time I found out about the problem, | someone else could already have fixed it and it could have been installed | automatically on the system. Why re-implement the wheel or duplicate | another's effort? In which case you are waiting for it to be fixed. You can always have your system update ports automatically. And in the specific case of qpopper, depending on whose patch you trusted the most, you'd have non-functioning software, automatically, but, still non-functioning. | >While these choice might be inconvenient, they are all you have. | | The point is that they're not. It'd be nice to get an automatic update | that closes the hole. I might create the new version sometimes, but | there's no reason for each person to do it every time. But, this is not the case. The bug was fixed, the patches were released, and you could have had the software rebuilt and reinstalled, as soon as the tree was updated. | Well, the first thing I might "whinge" about is your spelling. But | after I get through ribbing you about that, I'll continue to mount an | effort to come up with a more sensible solution than trying to close | every security hole myself, thank you. And how do you spell colour? Security isn't a pastime, it's a career. You have to have some level of commitment to it, it doesn't happen by accident. | >And BTW C doesn't kill people, C Programmers kill people. | | In either case, the solution is to fix C or move to something else. C is not broken. The solution is for software houses to have quality systems in place to prevent things like buffer overflows. If you want to use free, possibly unmaintained (by the author) software, then you have to accept the risks of doing so. Your system is hosed because you made the conscious choice of picking one vendor over another. If it means that much to you you should test software before you install it on a live system. If you can't be bothered to do that, make sure you have good business insurance and get on with your life. You chose and installed the software, which you blatantly didn't trust because it was written in C, but, failed to test it, even though you had a low level of trust in it. Your better system is within your grasp, you could identify problems that exist before they become security holes, submit bug reports, and take measures to prevent problems in the meantime. You don't want to test it? Don't have the time? That's your calculated risk, weigh up what is costs you to test Vs how much it costs you if your system is compromised. Don't simply dream of nirvana and complain when you wake up at home. I don't know of any popmail software written in Ada. When I find some I'll let you know. -- Totally Holistic Enterprises Internet| P:+61 7 3870 0066 | Andrew The Internet (Aust) Pty Ltd | F:+61 7 3870 4477 | Milton ACN: 082 081 472 | M:+61 416 022 411 |72 Col .Sig PO Box 403 Booval QLD Australia 4304 |akm@theinternet.com.au|Specialist To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message