On Tue, Nov 14, 2000 at 02:01:07PM -0600, Charles Cazabon wrote:
> re: Schneier's commentary in Secrets and Lies
>
> Mate Wierdl <[EMAIL PROTECTED]> wrote:
> >
> > He says, the best way to evaluate the security of a product is to have it
> > audited by security experts.
> > So has any expert ever audited qmail or djbdns?
>
> As Dave Sill pointed out, no formal security audit has been conducted by
> an independent party.
>
> However, as far as qmail goes: all the crackers in the world have had access
> to the qmail source code and design documentation for years, and none have
> yet found an exploitable security hole. You could consider that a fairly
> thorough audit-by-fire.
Not really. There are many examples to the contrary---quoted in the
book. For example, there were buffer overflows discovered in Kerberos
which had been in the code for 10 years, or Mailman had glaring
security flows no one noticed for three years.
It seems the comforting thing would be if some commercial companies using
qmail would pay for auditing.
Mate
