[3085] in WWW Security List Archive
Re: About "CIA Web Page Hacked"
daemon@ATHENA.MIT.EDU (Adam Shostack)
Thu Sep 26 09:39:07 1996
From: Adam Shostack <adam@homeport.org>
To: hallam@ai.mit.edu
Date: Thu, 26 Sep 1996 07:19:40 -0500 (EST)
Cc: WWW-SECURITY@ns2.rutgers.edu
In-Reply-To: <9609252230.AA16376@etna.ai.mit.edu> from "hallam@ai.mit.edu" at Sep 25, 96 06:30:28 pm
Errors-To: owner-www-security@ns2.rutgers.edu
hallam@ai.mit.edu wrote:
| >Well, as much as you'd like to beleive everyone who works for a vendor is
| >competent, with a program as absolutely huge as sendmail, it is absurd to
| >think that because a vendor modifies the source they've patched all if any
| >bugs.
|
| But entirely plausible to consider that a vaguely competent vendor
| is likely to produce a version with fewer bugs than any Allman
| edition of sendmail, either existing or yet to be created.
|
| Why a mailer needs to be a huge enormous program is beyond me.
| If you only use SMTP there is no reason that a mailer should need
| more than a few thousand lines of code. There is very little reason
| for a machine to support other protocols, particularly if the price
| of doing so is having to use sendmail.
Vendors who realize this have shipped a vareity of things
other than sendmail. However, those vendors who do ship sendmail tend
to ship new releases a little while after Allman does. Read the
numerous CERT sendmail advisories, looking for 'not affected' lines.
There aren't many. Most vendors add 'features' not security.
I'm looking at qmail, but have yet to find time for a formal
review of it, and worry about a program with a low revision number.
Adam
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
