Date: Sat, 03 Oct 1998 12:28:37 -0600 From: Brett Glass <brett@lariat.org> To: "Jordan K. Hubbard" <jkh@time.cdrom.com> Cc: CyberPsychotic <fygrave@freenet.bishkek.su>, Mike Smith <mike@smith.net.au>, Frank Pawlak <fpawlak@execpc.com>, Open Systems Networking <opsys@mail.webspan.net>, freebsd-chat@FreeBSD.ORG Subject: Re: Status Report on 2.2.6 Giveaway CD's Message-ID: <4.1.19981003121246.041c3330@mail.lariat.org> In-Reply-To: <13859.907436889@time.cdrom.com> References: <Your message of "Sat, 03 Oct 1998 11:00:59 MDT." <4.1.19981003105957.0420ea30@mail.lariat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
At 10:48 AM 10/3/98 -0700, Jordan K. Hubbard wrote: >> I was debating asking for some of the 2.2.6 giveaway CDs, but opted >> not to do so. Why? Because that release had some security problems >> that could actually sour some folks on FreeBSD. We were rooted as >> a result of one of them. > >Oh god, I was going to jump out of this silly thread now but that >idiotic statement above just can't be allowed to stand unchallenged. The statement above isn't "idiotic;" it's true. The Web page http://www.freebsd.org/releases/2.2.6R/errata.html states that there are not one but four CERT security advisories in effect for FreeBSD 2.2.6-RELEASE. >As has already been widely discussed in this very mailing list, Brett >was rooted due to his own incompetence and not some bug in "FreeBSD", Not so. The security hole was in a program that's included in the FreeBSD distribution. Other programs in that distribution may also be subject to attacks which are now common knowledge and for which automated "skripts" are available. As for the matter of my "competence:" again, Jordan, you're making an unwarranted attack in response to a legitimate concern. >the bug in question not even being a part of the core distribution but >in an external package called popper. For what it's worth, just about >every other OS using this version of popper (which was basically >everybody) was equally vulnerable and to specifically blame FreeBSD >for this is as unfair as it is inaccurate. I did not "blame" FreeBSD per se. However, I did point out that the software with the security hole is part of that distribution. Yes, it is also part of other operating system distributions, including quite a few of Linux. I would not distribute those, either. >Brett's own incompetence >ain this affair is incontravertable since it subsequently transpired >that he left NO admin in charge during his absence (which for any box >left 24/7 on the internet is just begging for trouble) Incorrect. An administrator was left in charge. And we, in fact, did better than most; quite a few major ISPs had the hole open for far longer. (The largest ISP in our region, in fact, didn't fix it until TWO MONTHS later, when WE notified THEM that they were running a version that was subject to the exploit.) We, on the other hand, instantly recognized the nature of the attack and responded appropriately. But, again, this is a peripheral issue. It is, fundamentally, a bad idea to give a new user a disk with a product that incorporates programs with such serious securty problems. I would consider it to be unethical, myself. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.1.19981003121246.041c3330>