From owner-freebsd-security Sat Feb 8 13:27:13 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id NAA00655 for security-outgoing; Sat, 8 Feb 1997 13:27:13 -0800 (PST) Received: from cwsys.cwent.com (0@cschuber.net.gov.bc.ca [142.31.240.113]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA00644 for ; Sat, 8 Feb 1997 13:27:06 -0800 (PST) Received: (from uucp@localhost) by cwsys.cwent.com (8.8.5/8.6.10) id NAA04237; Sat, 8 Feb 1997 13:26:21 -0800 (PST) Message-Id: <199702082126.NAA04237@cwsys.cwent.com> Received: from localhost.cwent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwent.com, id smtpd004234; Sat Feb 8 21:26:20 1997 Reply-to: cy@uumail.gov.bc.ca X-Mailer: Xmh To: "Stephen F. Combs" cc: Robin Melville , security@freefall.freebsd.org, jkh@freebsd.org, security-officer@freebsd.org Subject: Re: security-digest V3 #12 In-reply-to: Your message of "Thu, 06 Feb 1997 10:49:00 EST." Date: Sat, 08 Feb 1997 13:26:19 -0800 From: Cy Schubert Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I don't want to speak for Jordan but I belive that the constant griping and complaing by a few on this list may have had, in addition to the reasons he outlined, something to do with his resignation as President of the FreeBSD project. I'm sure the core and development teams are doing their best to provide a well written and secure operating system. I for one would like third your motion. Keep up the good work. My switch from Linux to FreeBSD approximately two years ago was for the very reason that I could see a quality product being developed in the project in a cohesive and coherent manner, (as opposed to the Linux model of many independent and unrelated or semi-related projects). I'd like to point out that my experience with free UNIX operating systems has been more productive than with the commercial vendors. The telnetd, syslog(), and numerous sendmail bugs have usually taken the various commercial vendors I deal with months to come out with patches. A good example is the syslog() bug. It took one vendor three months, another four months, and yet another six months to deliver patches to me, while the FreeBSD project had a patch within a week of the bug's announcement. The FreeBSD project is giving us better service than many of the vendors at no or very little cost to us. To you complainers: Why are you intent on pissing off the FreeBSD core and devlopment teams and ruining a good thing? Do you want everyone who has been developing this fine operating system to resign just like Jordan did? If they did we'd have to switch to other operating systems. I've done that too many times to want to do this again. I'm sure most people on this list would agree. To those of you who insist on broadcasting exploits: Would you not be more effective in distributing these exploits to your intended audience via #warez or #hackers? To security-officer@freebsd.org: Please relay my appreciation to the core and development teams for all of the hard work they've put into making FreeBSD as stable as it is. I'm sure I speak for the majority of people who use FreeBSD that we appreciate the effort, especially over the last few days to fix the setlocale() bug. Cy Schubert cschuber@uumail.gov.bc.ca cys@mailhost.wlc.com > Hear, Hear! I've been using FreeBSD since the first available pre-release > snapshot and I've NO PROBLEMS with the core developers! Jordan and the core > team have been EXTREEMLY responsive to problems/security holes/etc..... > Anything thought of by man can be circumvented by man!(don't remember WHO > was the originator of that but 'TIS TRUE!). > > Guys (and gals, if there are any) KEEP UP THE GOOD WORK! > > On 06-Feb-97 Robin Melville wrote: > >As a careful follower of the security digest I feel moved to add a > >pennyworth of complaint. > > > >I'm getting very tired of wading through the arrogant, hypercritical screeds > >posted by some correspondents. > > > >Any user of FreeBSD must be aware that it's an exeptional piece of work > >provided by volunteers who work their butts off. Our organisation is > >particularly grateful to them since it enables us to provide clinical IT > >which we couldn't possibly afford to do if the only option was commercial > >Unices/Novell/NT. > > > >The setlocale() security hole is unfortunate, but I'm sure not unexeptional > >in the context of any huge project written in C. Now it's known about and is > >being/has been fixed. There will be others. > > > >Security holes are a problem but also a fact of life for all system > >managers. I don't have any complaint about the (unpaid) work of the core > >team in attempting to patch them as they arise. What /would/ be tiresome > >would be the widespread dissemination of exploits to make a (malicious?) poi nt. > > > > >Highly skilled hackers will probably always be able to get into systems, > >this is also a fact of life. Telling (the much larger number) of less > >skilled/inquisitive users exactly how to get a # seems to me to be > >monstrously unhelpful. Unskilled hackers with root access are much more > >likely to do considerable damage by mistake than a passing wizard "bagging" > >your system or surreptitiously stealing CPU/disk space. > > > >If these correspondents have a personal beef with members of the FreeBSD > >core team would they please conduct it with private email. > > > >Thanks. > > > >Robin Melville > >-------------------------------------------------------- > >Robin Melville, Addiction & Forensic Information Service > >Nottingham Alcohol & Drug Team (Extn. 49178) > >Vox: +44 (0)115 952 9478 Fax: +44 (0)115 952 9421 > >Email: robmel@nadt.org.uk > >WWW: http://www.innotts.co.uk/nadt/ > >--------------------------------------------------------- > > > > ---- > Stephen F. Combs Internet: CombsSF@Salem.GE.COM > GE Industrial Systems Voice: 540.387.8828 > Network Services Home: CombsSF-Home@Salem.GE.COM > 1501 Roanoke Blvd FAX: 540.387.7106 > Salem, VA 24153 LapTop: CombsSF-Mobile@Salem.GE.COM >