From owner-freebsd-security Mon Feb 12 11:40:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id B269437B491 for ; Mon, 12 Feb 2001 11:40:20 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id UAA90732; Mon, 12 Feb 2001 20:40:05 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Peter C. Lai" Cc: "Chris Faulhaber" , "Dominic Marks" , Subject: Re: Secure Servers (SMTP, POP3, FTP) References: <20010211074201.B1396@jive.44bsd.net> <004a01c09465$86506f80$1e9e6389@137.99.156.23> From: Dag-Erling Smorgrav Date: 12 Feb 2001 20:40:04 +0100 In-Reply-To: "Peter C. Lai"'s message of "Sun, 11 Feb 2001 15:02:12 -0500" Message-ID: Lines: 19 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Peter C. Lai" writes: > the bottom line is, comb through the code, find a flaw, make an exploit, go > to Mr. Bernstein with the documentation, and claim your assigned monetary value> prize. isn't that what "auditing" is all about? No. 1) Mr Bernstein has also threatened to sue anyone who dared claim that his code was insecure. Not the best of incentives. 2) Take it from one who has actually needed to make non-trivial modifications to qmail: the code is very hard to read (if not unreadable), and in one case I found it easier to just rewrite the entire program than try to figure out how Bernstein's version was put together. Unreadable code is not easily unauditable. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message