From owner-freebsd-security Thu Feb 6 07:15:00 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id HAA18750 for security-outgoing; Thu, 6 Feb 1997 07:15:00 -0800 (PST) Received: from sys4.cambridge.uk.psi.net (sys4.cambridge.uk.psi.net [154.32.106.14]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id HAA18730 for ; Thu, 6 Feb 1997 07:14:52 -0800 (PST) Received: from nadt.org.uk by sys4.cambridge.uk.psi.net (8.7.5/SMI-5.5-UKPSINet) id MAA07296; Thu, 6 Feb 1997 12:43:32 GMT Received: from infodev.nadt.org.uk (infodev.nadt.org.uk [194.155.224.205]) by charlie.nadt.org.uk (8.6.12/8.6.12) with SMTP id MAA06912 for ; Thu, 6 Feb 1997 12:22:41 GMT Date: Thu, 6 Feb 1997 12:22:41 GMT Posted-Date: Thu, 6 Feb 1997 12:22:41 GMT Message-Id: <199702061222.MAA06912@charlie.nadt.org.uk> X-Website: http://www.innotts.co.uk/~nadt X-Sender: robmel@wrcmail X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: security@freefall.freebsd.org From: Robin Melville Subject: Re: security-digest V3 #12 Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk As a careful follower of the security digest I feel moved to add a pennyworth of complaint. I'm getting very tired of wading through the arrogant, hypercritical screeds posted by some correspondents. Any user of FreeBSD must be aware that it's an exeptional piece of work provided by volunteers who work their butts off. Our organisation is particularly grateful to them since it enables us to provide clinical IT which we couldn't possibly afford to do if the only option was commercial Unices/Novell/NT. The setlocale() security hole is unfortunate, but I'm sure not unexeptional in the context of any huge project written in C. Now it's known about and is being/has been fixed. There will be others. Security holes are a problem but also a fact of life for all system managers. I don't have any complaint about the (unpaid) work of the core team in attempting to patch them as they arise. What /would/ be tiresome would be the widespread dissemination of exploits to make a (malicious?) point. Highly skilled hackers will probably always be able to get into systems, this is also a fact of life. Telling (the much larger number) of less skilled/inquisitive users exactly how to get a # seems to me to be monstrously unhelpful. Unskilled hackers with root access are much more likely to do considerable damage by mistake than a passing wizard "bagging" your system or surreptitiously stealing CPU/disk space. If these correspondents have a personal beef with members of the FreeBSD core team would they please conduct it with private email. Thanks. Robin Melville -------------------------------------------------------- Robin Melville, Addiction & Forensic Information Service Nottingham Alcohol & Drug Team (Extn. 49178) Vox: +44 (0)115 952 9478 Fax: +44 (0)115 952 9421 Email: robmel@nadt.org.uk WWW: http://www.innotts.co.uk/nadt/ ---------------------------------------------------------