From owner-freebsd-audit  Sun Dec  5 14: 6:18 1999
Delivered-To: freebsd-audit@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP
	id 6F22714D02; Sun,  5 Dec 1999 14:06:13 -0800 (PST)
	(envelope-from robert@cyrus.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.9.3/8.9.3) with SMTP id RAA06885;
	Sun, 5 Dec 1999 17:06:09 -0500 (EST)
	(envelope-from robert@cyrus.watson.org)
Date: Sun, 5 Dec 1999 17:06:09 -0500 (EST)
From: Robert Watson <robert@cyrus.watson.org>
X-Sender: robert@fledge.watson.org
Reply-To: Robert Watson <robert+freebsd@cyrus.watson.org>
To: "David O'Brien" <obrien@FreeBSD.ORG>
Cc: Gerald Abshez <gerald@manhattanprojects.com>, audit@FreeBSD.ORG
Subject: Re: Auditing ports
In-Reply-To: <19991205115347.A69102@dragon.nuxi.com>
Message-ID: <Pine.BSF.3.96.991205164353.6435B-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-audit@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Sun, 5 Dec 1999, David O'Brien wrote:

> On Thu, Dec 02, 1999 at 10:35:34AM -0500, Gerald Abshez wrote:
> > While I'm all in favour of making _everything_ secure, I feel we
> > have to concentrate on the core functionality. Let's not put the
> > cart before the horse - The base system should be fully eyeballed
> > before we get all of the ports done.
> 
> Not necessarily.  The *ONLY* time any of my FreeBSD boxes have been broken
> into was thru the Qpopper buffer overflow.  There are key ports that are
> network listening daemons that should take as high a priority as any of
> the base network listening daemons.

A day or two ago I sent an email to bugtraq making some assertions about
responsibility for ports security and requirements, and while not everyone
will (or even should :-) agree with me, it might be worth reading through
it to see what my thoughts on the issue were.  I'll forward the post here
as fodder--not as a definitive solution to the problem :-).
Interestingly, the only flames I got were from people who either a) didn't
want to be subscribed to bugtraq anymore, and b) who didn't like long
posts and appreciated my comment at the beginning.  Go figure.

  Robert N M Watson 

robert@fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message