Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
A role model for security. Almost.
Jason Miller, 2005-06-08

Mark Burnett beat me to it. I was planning to write an article on the relationship between good security and paranoia in the not too distant future. However, it appears that at least one other SecurityFocus columnist shares some of my theories on good security. Either that, or he's somehow capable of reading my mind. Paranoia is generally a good thing to have. Regardless, Mark's article got me wondering about what other traits are valuable in the quest for good security.

Comments Mode:
A Role Model for Security. Almost. 2005-06-09
Anonymous (1 replies)
<p>Is not postfix in the same arena?</p>
...

[ more ]  [ reply ]
Re: A Role Model for Security. Almost. 2005-06-29
Matthew Murphy
Yes. The failures of Postfix have been far more visible. Bernstein has also carefully pointed each of them out, in his typical antagonistic style, illustrating why, he believes, that makes qmail better.

Security claims like those made by both Postfix and qmail are historically horrid ideas. Th...

[ more ]  [ reply ]
A Role Model for Security. Almost. 2005-06-11
xeon (1 replies)
I don't agree with you.
If that vulnerability isn't possible to exploit or to use in real world, it isn't a security vulnerability, it's digital hype.
...

[ more ]  [ reply ]
Re: A Role Model for Security. Almost. 2005-06-29
Matthew Murphy (1 replies)
Though it carries a *LARGE* footprint of several gigabytes of VM allocation, the issue is certainly exploitable. Exploitation could be easily detected, but by then, damage has already been done. It isn't very stealthy, but there are still limited applications for its use.

Arbitrary code execu...

[ more ]  [ reply ]
Re: Re: A Role Model for Security. Almost. 2006-05-08
Anonymous
it's not exploitable at all if you are using the recomended* set up from www.lifewithqmail.org


* by users of the official qmail mailing list ...

[ more ]  [ reply ]
A Role Model for Security. Almost. 2005-06-11
Anonymous (1 replies)
This philosophy of designing with security in mind from the beginning and creating the most bug free code possible that you so admiringly attribute to Dan Bernstein and his products qmail and djbdns is also the philosophy of the OpenBSD operating system.

If companies like Microsoft would make as...

[ more ]  [ reply ]
Re: A Role Model for Security. Almost. 2005-06-29
Matthew Murphy
OpenBSD is perhaps the only (modern) example that is worse than Bernstein's code. Sure, I could secure a system if it were so stripped down as to be barely accessible by default. And that's just good design.

But, the OpenBSD team's "secure by design" effort has not had nearly as much success as...

[ more ]  [ reply ]
A Role Model for Security. Almost. 2005-06-15
Russell Nelson (1 replies)
The problem is not with the code, but with the documentation. The only way that the Guninski "exploit" even begins to qualify is because the default installation instructions don't explicitly tell you to limit the resources available to qmail-smtpd, and yet "everybody knows" that you shouldn't give...

[ more ]  [ reply ]
Re: A Role Model for Security. Almost. 2005-06-29
Matthew Murphy
Wrong. While "everybody" may know that you don't give gigabytes of VM to an application *unless you have such resources to burn*, you have to look at the purpose of system rlimits.

Resource limits were designed fundamentally, to avoid allowing a single *local* user to utilize a disproportionate ...

[ more ]  [ reply ]




 

Privacy Statement
Copyright 2009, SecurityFocus