Date: Sun, 5 Dec 1999 17:06:09 -0500 (EST) From: Robert Watson <robert@cyrus.watson.org> To: "David O'Brien" <obrien@FreeBSD.ORG> Cc: Gerald Abshez <gerald@manhattanprojects.com>, audit@FreeBSD.ORG Subject: Re: Auditing ports Message-ID: <Pine.BSF.3.96.991205164353.6435B-100000@fledge.watson.org> In-Reply-To: <19991205115347.A69102@dragon.nuxi.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 5 Dec 1999, David O'Brien wrote: > On Thu, Dec 02, 1999 at 10:35:34AM -0500, Gerald Abshez wrote: > > While I'm all in favour of making _everything_ secure, I feel we > > have to concentrate on the core functionality. Let's not put the > > cart before the horse - The base system should be fully eyeballed > > before we get all of the ports done. > > Not necessarily. The *ONLY* time any of my FreeBSD boxes have been broken > into was thru the Qpopper buffer overflow. There are key ports that are > network listening daemons that should take as high a priority as any of > the base network listening daemons. A day or two ago I sent an email to bugtraq making some assertions about responsibility for ports security and requirements, and while not everyone will (or even should :-) agree with me, it might be worth reading through it to see what my thoughts on the issue were. I'll forward the post here as fodder--not as a definitive solution to the problem :-). Interestingly, the only flames I got were from people who either a) didn't want to be subscribed to bugtraq anymore, and b) who didn't like long posts and appreciated my comment at the beginning. Go figure. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.991205164353.6435B-100000>