Petri Sirkkala. said:
On Tue, 7 Mar 2000, John Grant wrote:
Petri Sirkkala. said:
On Mon, 6 Mar 2000, Yasholomew Yashinski wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
[snip]
So I tell you that you should use qmail because the latest sendmail is crackable. Is this true, or am I just spreading FUD? An exploit allows admins to try it on their systems.
I don't care if it is a FUD or not. I only react to those mails originating from SuSE or the real vendors of the programs. These are of course the parties that need the exploits to verify the bug, and then send the _official_ security issues.
I did not say _only_ suse. But so far I trust only the ones I can verify myself. This is what everyman has to determine themselves.
That's exactly my point. How do I know I can trust them without being able to double-check them? That's why I, as the person responsible for securing a system, need an exploit to be published as soon as it's known. I need to verify the bug on my system, and verify the fix once it's made available (or I've patched it myself, if I have source). Something else to consider.. a bug is not always found by an audit. Often, perhaps even most of the time, a security hole is found by someone being hacked, and the hackee tracking down how. In that case the exploit is _already_ known, so I'm already vulnerable. Publishing the exploit just makes _me_ aware of it, which is something I want to happen as soon as possible. Even if found by audit, there's no guarantee that no-one else has found it too, and is using it. Any way I look at it, it's my assets in jeopardy, and I want to be notified immediately so I can take steps to protect those assets. -John