From owner-freebsd-security  Tue Jul 21 12:34:36 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id MAA22994
          for freebsd-security-outgoing; Tue, 21 Jul 1998 12:34:36 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from sasami.jurai.net (winter@sasami.jurai.net [207.153.65.3])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA22987
          for <security@FreeBSD.ORG>; Tue, 21 Jul 1998 12:34:30 -0700 (PDT)
          (envelope-from winter@jurai.net)
Received: from localhost (winter@localhost)
	by sasami.jurai.net (8.8.8/8.8.7) with SMTP id PAA08178;
	Tue, 21 Jul 1998 15:34:07 -0400 (EDT)
Date: Tue, 21 Jul 1998 15:34:07 -0400 (EDT)
From: "Matthew N. Dodd" <winter@jurai.net>
To: Brett Glass <brett@lariat.org>
cc: Jon Hamilton <hamilton@pobox.com>, security@FreeBSD.ORG
Subject: Re: Why is there no info on the QPOPPER hack? 
In-Reply-To: <199807211824.MAA14302@lariat.lariat.org>
Message-ID: <Pine.BSF.3.96.980721153012.10970v-100000@sasami.jurai.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, 21 Jul 1998, Brett Glass wrote:
> At 10:34 PM 7/20/98 -0500, Jon Hamilton wrote:
>  
> >The sky is falling!  Where is that warranty?  Oh, that's right, there isn't
> >one.  The people who are responsible for keeping those machines safe are
> >just going to have to be responsible for keeping them safe, I guess.
> 
> And every one of them will respond instantly to every security advisory,
> so no crackers will ever get in. Nice fantasy.

The last time we had a major sendmail problem the response time of the
group I was in was about 4 hours; a dozen machines fixed, patches
integrated into private source trees etc.

-That- is the kind of turn around time you need when you're using free
software.

If you're not able so stand on the line and keep watch, set procmail up to
turn down your network every time a Bugtraq message with 'exploit' and
'foo' turns up.

> A security team formed for that purpose. A group of people who DO hang on
> ever Bugtraq message (if not individually, then collectively). As for 
> "-current won't compile" problems -- they're unlikely to occur because
> the patches will likely be to small bits of the OS.

Who pays this team then?

> As much as I trust CVSupping to close a hole. And, yes, I do place a high
> level of trust in strong crypto. As must all of us.

*yawn*  This is going to be the next "Information wants to be free!"
type mantra isn't it.

/* 
   Matthew N. Dodd		| A memory retaining a love you had for life	
   winter@jurai.net		| As cruel as it seems nothing ever seems to
   http://www.jurai.net/~winter | go right - FLA M 3.1:53	
*/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message