Date: Wed, 04 Sep 1996 15:36:25 -0600 From: Theo de Raadt <deraadt@theos.com> To: Nate Williams <nate@mt.sri.com> Cc: Theo de Raadt <deraadt@theos.com>, terry@lambert.org, dg@root.com, darrend@novell.com, chat@freebsd.org Subject: Re: FreeBSD vs. Linux 96 (my impressions) - Reply Message-ID: <9609042136.AA12381@theos.com> In-Reply-To: Your message of "Wed, 04 Sep 1996 15:16:29 MDT." <199609042116.PAA02488@rocky.mt.sri.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> You gain the ability to 'prove' that your system is more secure by > statements other than "it's more secure". When Marcus Ranum (formerly > of TFS) states his system is secure, I believe him because of his track > record. You don't have one positive or negative since OpenBSD has > virtually no track record. We have to trust that what you're saying is > true, and trust is something that is earned, not implicitly given. You > haven't earned my trust. Right. I haven't earned your trust. Ignore my fixes, they are not worthwhile. > All *anyone* has asked (in Usenet and other forms) is that you disclose > the security problems. You (and others) took the time to find them, and > check to see if they existed in other OS's. Of course they exist in other systems. Haven't you noticed how much code from 4.2BSD was used in other systems? All the vendor systems contain a userland that is basically *ALL* BSD code (except Solaris, which adds a whole bunch more new bugs). In most of the vendor systems, they had so much trouble porting the kernel to new machines they didn't fix their userland; they just made it different. In fact, from my new-found perspective SunOS is looking like a BSD 4.3 with the security bugs fixed. So, now, remember the XXXXXX trace file bug FreeBSD recently fixed by replacing it with a version from XXXX at XXX? There you go: Hey everyone, most of you are running a XXXXX that can be used to append garbage to any file in your system. As many attacks as you want, just keep enabling and disabling it with a different file. Nate, there's your damn full disclosure. You feel better now, knowing that 40 people just got fried? Now, having vented a bit, I won't do that again. And I won't list any of the other holes. The unexpecting system admins and users don't deserve the pain you think they should for not updating to the latest release. Having said that, the above XXXXXX bug was found by us 7 years ago. I reported it to CSRG. Yet 4.4 shipped had it. Pretty amazing, isn't it? Sorry, but you don't have to be (to follow your appeal to authority) a Marcus Ranum to find and fix holes like that. Even a Theo can fix stuff like that. > Integrating the VM is alot more difficult than sending an email message > stating that the VM system is buggy. Integrating the security fixes is alot more difficult than sending an email message stating that the security system is buggy. > > Early along our quest for greater security (which was spawned by an > > attack on my machine by someone who modified a file only the NetBSD > > people would have wanted modified) I did report a security problem to > > the FreeBSD security maintainer, about a hole to look at, I did not > > get a reply. > > Stuff happens, does that mean condemning the process from that point on? When all things are added up, yeah, perhaps I should.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9609042136.AA12381>