Subject: Re: [ ISP's hit by Canadians vandals]
To: Yiorgos Adamopoulos <>
From: Charles M. Hannum <>
List: tech-security
Date: 07/08/1998 10:56:43
> Anybody knows anything on this?

I haven't heard anything about it.  I did find some comments on a
FreeBSD mailing list suggesting that there are ongoing qpopper
attacks, but I don't know whether this is related.

While we (actually, mostly Matt) have made a significant effort to
audit our source tree for security holes, we simply don't have the
resources to audit every third party software package on the net that
people might want to use.

The sad truth is that all software has bugs.  If you're willing to
invest the time (say, if you're a bored college student, or a twink
with nothing better to do -- like certain of the `security' groups on
bugtraq these days), it's almost certain that you'll eventually find
an exploitable bug somewhere.

What we really need to do is shift away from the inherently unsafe
Unix security model, and the inherently unsafe programming constructs
typically used in C programs, to a different programming methodology
that is better at containing and logging the failures that we *know*
will sometimes occur.

Repeatedly auditing code that changes over time is extremely
time-consuming, and we've already seen on bugtraq hard proof that
merely auditing code does not necessarily make it secure.  There have
been several recent examples not only of bugs that were not found by
auditing, but also of bugs that were actually introduced during the
auditing process (ironically, by a certain group that likes to tout
itself as `making the net secure').

Anyway, I suppose what I'm getting at here is that the state of Un*x
security in general is pretty sad, largely because the security model
itself is broken by design.  Until such time as the model itself is
fixed -- and we stop simply patching out bugs -- I'm willing to state
that any claim of a Un*x system being `secure' is nothing more than
fallacious marketing diatribe.

That said, I have some ideas on how to fix the methodology, but
unfortunately I have other work priorities at the moment.  [This is a
hint to someone with more free time than I have.]

Meanwhile, like everyone else in the industry, we will continue
pissing in the wind with great ferocity.  [And y'all should look at
the recently added `year 2000' and `security' pages on the web