[365] in bugtraq
Re: Full Disclosure works, here's proof:
daemon@ATHENA.MIT.EDU (Randy Bias)
Mon Dec 5 19:06:24 1994
Date: Mon, 5 Dec 1994 13:38:36 -0800
From: randyb@internex.net (Randy Bias)
To: karl@bagpuss.demon.co.uk, smb@research.att.com
Cc: belal@sco.COM, bugtraq@fc.net
> Getting code right is hard. Getting code right in a complex system is
> *very* hard. While one can, I claim, do better for security stuff than
> in the general case, I do not think it is humanly possible to build
> a large system with no security flaws. (And yes, I put firewalls in
> that category -- which is why good firewalls are as small and simple
> as possible.)
Absolutely. I've been a SysAdmin for a while now and I learned very quickly
that it's just not a bright idea to install a patch unless you need it. This
can be said for a lot of things.
If you subscribe to chaos theory (and I do) then you would be better off
accepting that you *will* introduce new bugs (and possibly security bugs) while
fixing old ones. In that case, you should release the source with the patch,
or your customers need to accept that you may get it wrong the first time.
--Randy
