From owner-freebsd-chat  Wed Sep  4 15:07:56 1996
Return-Path: owner-chat
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id PAA05188
          for chat-outgoing; Wed, 4 Sep 1996 15:07:56 -0700 (PDT)
Received: from theos.com (zeus.theos.com [199.185.137.1])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id PAA05183
          for <chat@freebsd.org>; Wed, 4 Sep 1996 15:07:49 -0700 (PDT)
Received: from LOCALHOST.theos.com by theos.com (4.1/tdr1.0)
	id AA12516; Wed, 4 Sep 96 16:07:28 MDT
Message-Id: <9609042207.AA12516@theos.com>
To: Nate Williams <nate@mt.sri.com>
Cc: Theo de Raadt <deraadt@theos.com>, chat@freebsd.org
Subject: Re: FreeBSD vs. Linux 96 (my impressions) - Reply 
In-Reply-To: Your message of "Wed, 04 Sep 1996 15:46:50 MDT."
             <199609042146.PAA02647@rocky.mt.sri.com> 
Date: Wed, 04 Sep 1996 16:07:26 -0600
From: Theo de Raadt <deraadt@theos.com>
Sender: owner-chat@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

> > So, now, remember the XXXXXX trace file bug FreeBSD recently fixed by
>[...]
>
> I doubt even *one* person will get fried for that.

Well, people have been fried by it.

Nate, you are quite simply wrong.  Your technical expertise does not
land in security.  Nate, you poopoo me in a comparison against Markus
Ranum, then in the next report you say a security hole that can append
log files to any file in the entire filesystem is ok.

Terry had a very good point; I will use this as a reminder not to send
bug reports to people like Nate, who will act as judge in areas they
know shit all nothing about.


> I didn't state I wanted your fix, just a pointer to where they might be so
> *I* (or others) could go look them up.

Nate, they are in the OpenBSD source tree.  Go ahead, anoncvs is fun.


> If you're worried about disclosure send them to CERT.

No, I am more worried about proper use of my time.

> But, if *YOU* can find them then so can
> joe hacker, and he's going to get into the BSD systems that are so
> insecure.

Yup.  FreeBSD and NetBSD boxes.  Of course, any user can crash the
OpenBSD or NetBSD vm system.


> By disclosing them you at least put him on the same footing
> as the hackers.  If it means he has to disable potentially helpful code,
> then so be it.  It's better than losing years worth of work.

Nate, if you don't want to lose your years worth of work you might
consider putting your machines behind an OpenBSD firewall.