Date: Thu, 31 Oct 1996 14:50:45 -0700 (MST) From: Terry Lambert <terry@lambert.org> To: jgreco@brasil.moneng.mei.com (Joe Greco) Cc: terry@lambert.org, scrappy@ki.net, wollman@lcs.mit.edu, jgreco@brasil.moneng.mei.com, current@freebsd.org Subject: Re: /var/mail (was: re: Help, permission problems...) Message-ID: <199610312150.OAA26334@phaeton.artisoft.com> In-Reply-To: <199610311844.MAA28303@brasil.moneng.mei.com> from "Joe Greco" at Oct 31, 96 12:44:46 pm
next in thread | previous in thread | raw e-mail | index | archive | help
> > Or publicize the denial of service attack in the news groups where > > IMAP4 is discussed and hope someone uses it. > > TERRRY! That is perfectly irresponsible :-) > > As tempting as it may be, and even though I do not believe in security > through obscurity as a first line of defense, I do believe that there > is some value to security through obscurity. > > We would be doing less-sophisticated operating systems a great disservice. As they are currently convincing Mark to do BSD the disservice of kludging around a failure of other platforms to supply a working, documented, system service? It's not like this information isn't well known to hackers anyway. What's needed is to *also* inform the "nervous nellie" managers who buy these systems so that they whine about the situation to the vendors and the problem gets fixed. I see very little difference between this and defaulting RFC 1323 and RFC 1644 on to falg broken stack implementations, in no uncertain terms. What's the logical difference between promoting a policy to fix the networking system calls, and promoting a policy to fix the fcntl() system call? I'm confused... At the very least, we should lobby for a CERT advisory for a denial of service attack based on 1777 permissions so that everyone else's mailspool permissions change as well: then it will be *impossible* to argue ".lock works on other platforms". If we can't fix the problem, at least we can invalidate the argument that perpetuates the situation of the problem "not being bad enough to fix". Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199610312150.OAA26334>