From owner-freebsd-security  Tue Jul 21 13:27:17 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id NAA03611
          for freebsd-security-outgoing; Tue, 21 Jul 1998 13:27:17 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from sasami.jurai.net (winter@sasami.jurai.net [207.153.65.3])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA03599
          for <security@FreeBSD.ORG>; Tue, 21 Jul 1998 13:27:13 -0700 (PDT)
          (envelope-from winter@jurai.net)
Received: from localhost (winter@localhost)
	by sasami.jurai.net (8.8.8/8.8.7) with SMTP id QAA08730;
	Tue, 21 Jul 1998 16:26:51 -0400 (EDT)
Date: Tue, 21 Jul 1998 16:26:51 -0400 (EDT)
From: "Matthew N. Dodd" <winter@jurai.net>
To: Brett Glass <brett@lariat.org>
cc: security@FreeBSD.ORG
Subject: Re: Why is there no info on the QPOPPER hack? 
In-Reply-To: <199807211952.NAA15969@lariat.lariat.org>
Message-ID: <Pine.BSF.3.96.980721161513.10970x-100000@sasami.jurai.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, 21 Jul 1998, Brett Glass wrote:
> At 03:34 PM 7/21/98 -0400, Matthew N. Dodd wrote:
> >If you're not able so stand on the line and keep watch, set procmail up to
> >turn down your network every time a Bugtraq message with 'exploit' and
> >'foo' turns up.
> 
> In other words, make the system self-destruct when I stop watching long
> enough to have a life. Really practical. 

To quote Robert De Niro in _Heat_ , "Thats the dicipline..."

I'm taking the side of devil's advocate here; some has to.  I could easily
take your side and argue it as well.

Security means constant vigilance; you can't let down your guard.  If your
desire to have a life conflicts with this vigilance, you or your employer
need to make adjustments.

Free software isn't for everyone.  If you are the only one standing on the
line, maybe your shop is understaffed.  Bring this up with your boss;
misrepresenting the costs of doing business is nearly always fatal. 

While we can strive to make software better, the reality is that we will
have limited success, and only slow the tide of problems with poorly
written software.

We may try to implement automated tools to make our lives easier; these do
not provide a substitue for our watchful vigilance.

As others have said, a patch was posted for the problem the same day,
where were you?

Keep in mind that a $5.50/hr person to read bugtraq and rootshell and
others may well be worth having if it means you get immediate notice of
problems.  Such people should not be difficult to come by, but few of them
will last past six months.

You seem to dislike the solutions I propose that don't satisfy your sense
of asthetics.  While paying for a solution may not be pretty, sometimes
its the only efficient choice.

/* 
   Matthew N. Dodd		| A memory retaining a love you had for life	
   winter@jurai.net		| As cruel as it seems nothing ever seems to
   http://www.jurai.net/~winter | go right - FLA M 3.1:53	
*/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message