Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.rmit.EDU.AU!news.unimelb.EDU.AU!munnari.OZ.AU!news.mel.connect.com.au!news.syd.connect.com.au!phaedrus.kralizec.net.au!news.mel.aone.net.au!grumpy.fl.net.au!news.webspan.net!www.nntp.primenet.com!nntp.primenet.com!news.mathworks.com!news-xfer.netaxs.com!hammer.uoregon.edu!newsgate.cuhk.edu.hk!agate!theos.com!deraadt From: deraadt@theos.com (Theo de Raadt) Newsgroups: comp.unix.bsd.bsdi.misc Subject: Re: Security hole Date: 21 Jan 1997 01:43:15 GMT Organization: Theo Ports Kernels For Fun And Profit Lines: 20 Message-ID: <DERAADT.97Jan20184315@zeus.theos.com> References: <32DEEC3F.E23@interlog.com> <DERAADT.97Jan18154120@zeus.theos.com> <5bstum$84v@duke.telepac.pt> <5bue0s$psh@tofu.alt.net> <E4AAyu.GD2@news.interactive.net> <5c0glm$khi@tofu.alt.net> <E4Boww.69M@news.interactive.net> NNTP-Posting-Host: zeus.theos.com In-reply-to: ritz@onyx.interactive.net's message of Mon, 20 Jan 1997 20:00:32 GMT Xref: euryale.cc.adfa.oz.au comp.unix.bsd.bsdi.misc:5591 In article <E4Boww.69M@news.interactive.net> ritz@onyx.interactive.net (Chris Mauritz) writes: In which case you get what's coming to you. Running a secure system is an ongoing process. You really DO need to waddle by ftp.bsdi.com once in a while and keep up with the patches. Well, It's well known that I don't think this to be enough. BSD is being reactive to the bugs, just like all the other commercial vendors. They are not fixing a problem until the exploit becomes well-known. Even if you do this, I'd say the window is 3 weeks or so; from when the bug becomes well known till when a fix is available. But during the period of not-well-known you are vulnerable as well. Just to pick an example, with the recent talkd exploit oh, the problem was known about about 6 months. Four weeks ago you couldn't just see a news posting containing the exploit code, you had to actually go onto irc and ask around... -- This space not left unintentionally unblank. deraadt@theos.com www.OpenBSD.org -- We're fixing security problems so you can sleep at night.