On Mon, Feb 03, 2003 at 11:27:46AM +0100, [EMAIL PROTECTED] said:
--On Tuesday, January 28, 2003 18:06:47 -0800 Scott Francis
[EMAIL PROTECTED] wrote:
I'm sure
they'll move to a newer version when somebody on the team gets a chance
to give it a thorough code audit, and run it
--On Tuesday, January 28, 2003 18:06:47 -0800 Scott Francis
[EMAIL PROTECTED] wrote:
I'm sure
they'll move to a newer version when somebody on the team gets a chance
to give it a thorough code audit, and run it through sufficient testing
prior to release.
The -current tree now is at BIND
shnipp Data Protection stuff
At least theoretically, the US *is* supposed to have a comparable system.
European privacy law makes it illegal to transfer personal data of any kind
to a country without a comparable system - the US has a voluntary Safe
Haven scheme that is supposed to enable US
at Thursday, January 30, 2003 12:01 AM, [EMAIL PROTECTED]
[EMAIL PROTECTED] was seen to say:
But this worm required external access to an internal server (SQL
Servers are not front-end ones); even with a bad or no patch
management system, this simply wouldn't happen on a properly
configured
On Thu, Jan 30, 2003 at 10:39:17AM -0800, [EMAIL PROTECTED] said:
IIRC, MS's patches has been digitally signed by MS, and their patching
system checks these sign silently. So, they will claim that
compromised route info and/or DNS spoofing does not affect their
correctness.
Though, I'm not
His main thesis was basically that every
OS in common use today, from Windows to UNIX variants, has a fundamental
flaw in the way privileges and permissions are handled - the concept of
superuser/administrator. He argued instead that OSes should be
redesigned to
implement the principle of
On Tue, 28 Jan 2003, Scott Francis wrote:
I'm still looking for a copy of the presentation, but I was able to find a
slightly older rant he wrote that contains many of the same points:
http://www.bsdatwork.com/reviews.php?op=showcontentid=2
Good reading, even if it's not very much practical
On Tue, 28 Jan 2003, Scott Francis wrote:
He argued instead that OSes should be redesigned to implement the
principle of least privilege from the ground up, down to the
architecture they run on.
[...]
The problem there is the same as with windowsupdate - if one can spoof the
central
On Wed, Jan 29, 2003 at 10:47:30AM -0800, [EMAIL PROTECTED] said:
On Tue, 28 Jan 2003, Scott Francis wrote:
He argued instead that OSes should be redesigned to implement the
principle of least privilege from the ground up, down to the
architecture they run on.
[...]
The problem
On Wed, Jan 29, 2003 at 12:21:50PM -0800, [EMAIL PROTECTED] said:
[snip]
So far, the closest thing I've seen to this concept is the ssh
administrative host model: adminhost:~root/.ssh/id_dsa.pub is
copied to every targethost:~root/.ssh/authorized_keys2, such that
commands
Not to sound to pro-MS, but if they are going to sue, they should be able to
sue ALL software makers. And what does that do to open source? Apache,
MySQL, OpenSSH, etc have all had their problems. Should we sue the nail gun
vendor because some moron shoots himself in the head with it? No.
Similarly, you _pay_ MS for a product. A product which is repeatedly
vulnerable.
I think this is key. People (individuals/corporations) keep buying crappy
software. As long as people keep paying the software vendors for these
broken products what incentives do they have to actually fix
On Tue, Jan 28, 2003 at 11:13:19AM -0200, [EMAIL PROTECTED] said:
[snip]
But this worm required external access to an internal server (SQL Servers
are not front-end ones); even with a bad or no patch management system, this
simply wouldn't happen on a properly configured network. Whoever got
On Tue, 28 Jan 2003, The New York Times wrote:
A spokesman for Microsoft, Rick Miller, confirmed that a
number of the company's machines had gone unpatched, and
that Microsoft Network services, like many others on the
Internet, experienced a significant slowdown. We, like the
rest of the
Sean,
--On 28 January 2003 03:10 -0500 Sean Donelan [EMAIL PROTECTED] wrote:
Are there practical answers that actually work in the real world with
real users and real business needs?
1. Employ clueful staff
2. Make their operating environment (procedures etc.) best able
to exploit their
ED Date: Tue, 28 Jan 2003 12:42:41 + (GMT)
ED From: E.B. Dreger
ED Sure, worm authors are to blame for their creations.
ED Software developers are to blame for bugs. Admins are to
s/Admins/Admins and their management/
Eddy
--
Brotsman Dreger, Inc. - EverQuick Internet Division
In a message written on Tue, Jan 28, 2003 at 03:10:18AM -0500, Sean Donelan wrote:
They bought finest firewalls,
A firewall is a tool, not a solution. Firewall companies advertise
much like Home Depot (Lowes, etc), everything you need to build
a house.
While anyone with 3 brain cells realizes
Not to sound to pro-MS, but if they are going to sue, they should be able to
sue ALL software makers. And what does that do to open source? Apache,
MySQL, OpenSSH, etc have all had their problems. Should we sue the nail gun
vendor because some moron shoots himself in the head with it? No. It
From: Eric Germann
Not to sound to pro-MS, but if they are going to sue, they should be able
to
sue ALL software makers. And what does that do to open source? Apache,
MySQL, OpenSSH, etc have all had their problems. Should we sue the nail
gun
vendor because some moron shoots himself in
At 11:13 AM 1/28/03 -0200, Rubens Kuhl Jr. et al postulated:
| Are there practical answers that actually work in the real world with
| real users and real business needs?
Yes, the simple ones that are known for decades:
- Minimum-privilege networks (access is blocked by default, permitted to
]
Cc: Eric Germann
Subject: Re: What could have been done differently?
From: Eric Germann
Not to sound to pro-MS, but if they are going to sue, they should be
able
to
sue ALL software makers. And what does that do to open source?
Apache, MySQL, OpenSSH, etc have all had their problems
In a message written on Tue, Jan 28, 2003 at 10:23:09AM -0500, Eric Germann wrote:
Not to sound to pro-MS, but if they are going to sue, they should be able to
sue ALL software makers. And what does that do to open source? Apache,
MySQL, OpenSSH, etc have all had their problems. Should we
On Tue, 28 Jan 2003 10:42:05 - Alex Bligh wrote:
Sean,
--On 28 January 2003 03:10 -0500 Sean Donelan [EMAIL PROTECTED] wrote:
Are there practical answers that actually work in the real world with
real users and real business needs?
1. Employ clueful staff
2. Make
: January 28, 2003 12:43
To: Alex Bligh
Cc: Sean Donelan; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: What could have been done differently?
This is therefore a request for all of those who possess this
clue to
write down their wisdom and share it with the rest of us, so we can
address
[EMAIL PROTECTED] (Eric Germann) writes:
Not to sound to pro-MS, but if they are going to sue, they should be able
to sue ALL software makers. And what does that do to open source?
Apache, MySQL, OpenSSH, etc have all had their problems. ...
Don't forget BIND, we've had our problems as
## On 2003-01-28 17:49 - Paul Vixie typed:
PV
PV In any case, all of these makers (including Microsoft) seem to make a very
PV good faith effort to get patches out when vulnerabilities are uncovered. I
PV wish we could have put time bombs in older BINDs to force folks to upgrade,
PV but
What do you think of OpenBSD still installing BIND4 as part of the
default base system and recommended as secure by the OpenBSD FAQ ?
(See Section 6.8.3 in http://www.openbsd.org/faq/faq6.html#DNS )
i think that bind4 was relatively easy for them to do a format string
audit on, and that
On Tue, 28 Jan 2003, Eric Germann wrote:
Not to sound to pro-MS, but if they are going to sue, they should be able to
sue ALL software makers. And what does that do to open source?
A law can be crafted in such a way so as to create distinction between
selling for profit (and assuming
Sean Donelan wrote:
Many different companies were hit hard by the Slammer worm, some with
better than average reputations for security awareness. They bought
finest firewalls, they had two-factor biometric locks on their data
centers, they installed anti-virus software, they paid for SAS70
On 1/28/03 11:57 AM, Paul Vixie [EMAIL PROTECTED] wrote:
What do you think of OpenBSD still installing BIND4 as part of the
default base system and recommended as secure by the OpenBSD FAQ ?
(See Section 6.8.3 in http://www.openbsd.org/faq/faq6.html#DNS )
i think that bind4 was
On Tue, Jan 28, 2003 at 03:10:18AM -0500, [EMAIL PROTECTED] said:
[snip]
Many different companies were hit hard by the Slammer worm, some with
better than average reputations for security awareness. They bought
finest firewalls, they had two-factor biometric locks on their data
centers, they
, January 28, 2003 10:36 AM
To: [EMAIL PROTECTED]; Leo Bicknell; [EMAIL PROTECTED]
Cc: Eric Germann
Subject: Re: What could have been done differently?
From: Eric Germann
Not to sound to pro-MS, but if they are going to sue, they
should be able
to
sue ALL software makers. And what does
On Tue, Jan 28, 2003 at 07:10:52PM -0500, [EMAIL PROTECTED] said:
[snip]
As has been said, no one writes perfect software. And again, sometime, the
user has to share some responsibility. Maybe if the users get burned
enough, the problem will get solved. Either they will get fired, the
On Tue, Jan 28, 2003 at 11:22:13AM -0500, [EMAIL PROTECTED] said:
[snip]
That is, I think there is a big difference between a company the
size of Microsoft saying we've known about this problem for 6
months but didn't consider it serious so we didn't do anything
about it, and an open source
On Tue, Jan 28, 2003 at 08:53:59PM +0200, [EMAIL PROTECTED] said:
[snip]
Hi Paul,
What do you think of OpenBSD still installing BIND4 as part of the
default base system and recommended as secure by the OpenBSD FAQ ?
(See Section 6.8.3 in http://www.openbsd.org/faq/faq6.html#DNS )
OpenBSD
Somewhere in the equation, the sysadmin/enduser, whether Unix
or Windows, has to take some responsibility.
Hence I loved this:
http://www.nytimes.com/2003/01/28/technology/28SOFT.html
Worm Hits Microsoft, Which Ignored Own Advice
By JOHN SCHWARTZ
Among the
On Tue, 28 Jan 2003, Andy Putnins wrote:
This is therefore a request for all of those who possess this clue to
write down their wisdom and share it with the rest of us
I can't tell you what clue is, but I know when I don't see it. In some
cases our clients have had Code Red, Nimda, and
On Tue, Jan 28, 2003 at 08:14:17PM +0100, [EMAIL PROTECTED] said:
[snip]
restrictive measures that operate with sufficient granularity. In Unix,
traditionally this is done per-user. Regular users can do a few things,
but the super-user can do everything. If a user must do something that
On Tue, Jan 28, 2003 at 09:00:48PM -0500, [EMAIL PROTECTED] said:
In message [EMAIL PROTECTED], Scott Francis writes:
There's a difference between having the occasional bug in one's software
(Apache, OpenSSH) and having a track record of remotely exploitable
vulnerabilities in virtually
On Tue, 28 Jan 2003, Steven M. Bellovin wrote:
:They do have a lousy track record. I'm convinced, though, that
:they're sincere about wanting to improve, and they're really trying
:very hard. In fact, I hope that some other vendors follow their
:lead. My big worry isn't the micro-issues like
On Tue, 28 Jan 2003 19:10:52 EST, Eric Germann [EMAIL PROTECTED] said:
Sort of like the person who sued McD's when they dumped their own coffee in
their lap because it was too hot. Somewhere in the equation, the
sysadmin/enduser, whether Unix or Windows, has to take some responsibility.
Bad
41 matches
Mail list logo
