[89553] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition

daemon@ATHENA.MIT.EDU (Jeroen Massar)
Sat Mar 25 11:02:27 2006

From: Jeroen Massar <jeroen@unfix.org>
To: JP Velders <jpv@veldersjes.net>
Cc: Gadi Evron <ge@linuxbox.org>, nanog@merit.edu
In-Reply-To: <Pine.LNX.4.62.0603251321341.21315@jp-gp.vsi.nl>
Date: Sat, 25 Mar 2006 17:01:48 +0100
Errors-To: owner-nanog@merit.edu



--=-N330tYewIZRBPb04y9b1
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Sat, 2006-03-25 at 13:30 +0100, JP Velders wrote:
[..]
> > This isn't about processes, it's about something that has been around f=
or
> > a while, many reply on and keeps ******* up. Where it simply can't.
>=20
> What world do you live in were everything is done perfect ? If you=20
> don't like sendmail because of its history or that it can contains=20
> flaws, vote with your feet and choose something that you do think can=20
> be trusted to do a better job, is more secure, is more actively=20
> developed and is developed more securely then sendmail. [*]

Indeed, and it is is not like there are no alternatives and of course
one can always roll it's own ;)

And one even didn't have to pay for it, but complaining, and not helping
out by providing patches or research is always the easy way out.

/me chose postfix btw, but mostly also because the config is much
simpler ;) Rolling my own would also be an option, the ones out there
work fine already and so what that they have bugs, no way that one can
code bugfree, just make sure that you can upgrade in time.

> Heck, if I were to have kids one day and would like them to get to=20
> school safely by car, I'd like to have something short of a tank to be=20
> absolutely certain. Instead I'll probably make them aware of the=20
> risks, give them good protection and bicyle helmets... Now if I were a=20
> head of state or something, I'd probably have people to get me that=20
> tank... Note the "have people"...

I guess you mean something like a 400.000 EUR tractor (vendor-C term):
http://www.planet.nl/planet/show/id=3D1740280/contentid=3D620223/sc=3Daa292=
8

The thing is, that might help for the collision case or a small bomb,
but one can still walk up to the guy when he gets out and shoot him
directly in the head or try to cut it off as has been demonstrated twice
before in that country. Bit futile thus to protect yourself with such
spendings when it doesn't cover the obvious cases.

Analogous, starting over using a new product might introduce other
security risks and of course never forget the migration path which in
larger installs includes training and upgrades, problem shooting and
then finding out that new bugs exist in the new code. Even the folks who
moved over from SSH.com to OpenSSH have found out that they had to
upgrade a large number of times, some times even with very troublesome
vulnerabilities, in the end causing most people to rate-limit port 22 or
to move it to another port altogether because of the automated scanning
happening.

Greets,
 Jeroen

(Fortunately it was not my tax money that bought that tractor :)


--=-N330tYewIZRBPb04y9b1
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Jeroen Massar / http://unfix.org/~jeroen/

iHUEABECADUFAkQlaWwuFIAAAAAAFQAQcGthLWFkZHJlc3NAZ251cGcub3JnamVy
b2VuQHVuZml4Lm9yZwAKCRApqihSMz58I5AdAJ4yEjI0FfVPSSvKMalL/iJI6u09
xgCcD+afyNgz29dgf2mrSr82sai5BnQ=
=IpNi
-----END PGP SIGNATURE-----

--=-N330tYewIZRBPb04y9b1--


home help back first fref pref prev next nref lref last post