If you liked this post, you may also be interested in...
- LA Sheriff Threatens To 'Subject' City Council To 'Defamation Law' If They Won't Stop Calling His Deputies 'Gang Members'
- Senator Blumenthal, After Years Of Denial, Admits He's Targeting Encryption With EARN IT
- Whistleblower Alleges NSO Offered To 'Drop Off Bags Of Cash' In Exchange To Access To US Cellular Networks
- Senator Wyden: EARN IT Will Make Children Less Safe
- UK Gov't: Encryption Endangers Kids. Also UK Gov't: No, Encryption *Protects* Kids
Reader Comments
Subscribe: RSS
View by: Time | Thread
Ah...
VSFTP, the featureless but so-far-unhacked ftpd.
It's glad to have a shred of support behind my own ranting, that the Next Shiny Untested Thing is no more secure than that which has had an expolit for each of its 20 years of existence and maintenance.
Postfix doesn't have the market on strncpy(), despite what the slobbering masses will try to tell you.
[ link to this | view in chronology ]
Re: Ah...
I can only assume this is humor, because if this is serious, you've got to be kidding me.
Postfix is neither new, nor has it had an exploit a year for the last 20 years (I believe it is more like 5 years) of its existance (unless you know something you aren't sharing.) And it has been tested, in the real world, for 5 years, and has been far better than Sendmail in regards to security. The slobbering masses are still pushing Sendmail...there are a lot of folks who have chosen not to run postfix because of its licensing issues, not because of its security issues.
I run postfix, because it is smarter at dealing with rewrites than sendmail is, but also because it has a good track record for security. Dan's qmail program is also a good alternative to postfix, if you don't want to use postfix.
The funny thing is that this article (if you did RTFA,) doesn't even talk about Postfix or VSFTP, but instead talked about how folks tend to get overly excited about new frontiers in technology making old problems disappear, only to find that new problems (which look exactly like the old problems) crop up and spoil the excitement. Postfix certainly doesn't step forward, it steps backward (which is what makes it more secure,) because it takes all the bells and whistles out of Sendmail which tends to get Sendmail into trouble. Yes, postfix has its own share of problems, but they are well documented and often easy to work around.
[ link to this | view in chronology ]
Life in the fishbowl...
I usually like Simson Garfinkel's articles, but for some reason this one seemed wrong. It wasn't that what he was saying was wrong, it was the fact that he was so accurate in his argument that it seemed too terribly one-sided. While I tend to agree, that the computer world lives in a Frontier Syndrome, where is this any different than the real world. After all, we all have our own hopes and dreams, and usually to get to those hopes in dreams we need to work hard. Yet, when we reach the point where we achieve our hopes and dreams, we realize that we have even bigger hopes and dreams and that those which we wanted before really don't mean much to us any more. This is just the way we are, and the computer security world is no different.
But just because we look forward to the golden future of computer security, where hackers are zapped by millions of volts of electricity the moment they access our computers illegally does not mean that we should discount that what we have fixed in the past. To do so would likely cause the reintroduction of the bad stuff because we forgot it was bad.
There will never be a silver bullet in security, just like there is never a silver bullet in any other line of work, but does that mean we should give up trying?
In a perfect world, security would work flawlessly, but in the real world, as in the digital world, even if we had perfect security models we would still have failures since we are human, with very limited lifespans, and as humans, we tend to take the easy way out of things, and may not implement the security model correctly all the time. Many security failures occur because we either forget to do things the right way, or are too lazy to fix things done the wrong way, and we are all guilty of this. In the future, we'll hopefully develop systems to either reduce or eliminate human error...or at least we can hope and dream we will for the time being.
[ link to this | view in chronology ]