Return to BSD News archive
Newsgroups: comp.unix.bsd.bsdi.misc Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!lucy.swin.edu.au!news.rmit.EDU.AU!news.unimelb.EDU.AU!munnari.OZ.AU!news.mel.connect.com.au!news.mel.aone.net.au!grumpy.fl.net.au!news.webspan.net!ix.netcom.com!howland.erols.net!news.sprintlink.net!news-peer.sprintlink.net!metro.atlanta.com!news.new-york.net!news.interactive.net!ritz From: ritz@onyx.interactive.net (Chris Mauritz) Subject: Re: Security hole X-Nntp-Posting-User: ritz Organization: IBS Interactive, Inc. Lines: 28 Message-ID: <E4D8wo.22E@news.interactive.net> References: <32DEEC3F.E23@interlog.com> <DERAADT.97Jan18154120@zeus.theos.com> <5bstum$84v@duke.telepac.pt> <5bue0s$psh@tofu.alt.net> <E4AAyu.GD2@news.interactive.net> <5c0glm$khi@tofu.alt.net> <E4Boww.69M@news.interactive.net> <DERAADT.97Jan20184315@zeus.theos.com> X-Trace: 853862999/2667 X-Nntp-Posting-Host: onyx.interactive.net Date: Tue, 21 Jan 1997 16:10:00 GMT Xref: euryale.cc.adfa.oz.au comp.unix.bsd.bsdi.misc:5668 Theo de Raadt <deraadt@theos.com> is rumoured to have written: :) In article <E4Boww.69M@news.interactive.net> ritz@onyx.interactive.net (Chris Mauritz) writes: :) In which case you get what's coming to you. Running a secure system :) is an ongoing process. You really DO need to waddle by ftp.bsdi.com :) once in a while and keep up with the patches. :) Well, It's well known that I don't think this to be enough. BSD is :) being reactive to the bugs, just like all the other commercial :) vendors. They are not fixing a problem until the exploit becomes :) well-known. Well, it's a bit difficult to fix an unknown bug. :) Even if you do this, I'd say the window is 3 weeks or so; from when :) the bug becomes well known till when a fix is available. But during :) the period of not-well-known you are vulnerable as well. Just to pick :) an example, with the recent talkd exploit oh, the problem was known :) about about 6 months. Four weeks ago you couldn't just see a news :) posting containing the exploit code, you had to actually go onto irc :) and ask around... I believe we were the first to report the ntalkd bug to BSDI and the patch was available within 36 hours. I don't find that terribly unreasonable. Regards, Chris -- Christopher Mauritz | For info on internet access: ritz@interactive.net | finger/mail info@interactive.net OR IBS Interactive, Inc. | http://www.interactive.net/