[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: on potato's proftpd



dear list,

look, i am really not here to start a flame war and heck no, i don't
want one. please excuse if my behaviour has been leading you onto this
belief (or maybe not). i am simply failing to grasp the arguments laid
out by wichert. that is, i don't disagree with him per se, but i have
the feeling that i am also not being understood. so, please read this
last attempt to clarify and then either respond, or give me a straight
"shut up" and i will. and i apologize up front to sven for posting
parts of his personal reply to the list.

also sprach Sven Hoexter <sven@telelev.net> [2002.04.02.2240 +0200]:
> Calm down :) It's "just" a DoS attack and if you use a Software you as
> the admin should look at the normal flood of information and pick out what
> you need. If you do so you know the problem and you can work around it in
> different ways. One way is the Deny directiv or some of the Ulimit options
> introduced into proftpd after the problem occured the first time.
> In the Debian way the deny directiv is the working one.

well, i am calm, but i disagree. sure, it boils down to the question
who debian's audience are, but for all i am concerned, debian's
reputation _used_ to include "security", and the reason why i'd (as in
"would" and "had") install(ed) debian was because i didn't need to be
worrying about the obvious and hence i could spend my resources on
other things. had i wanted to patch one-year-old bugs in software that
installs from the "security archives", then i might have just chosen
to "fly" redhat. i don't understand why you aren't understanding this.
i am not at all against finding the real bug as well as investigating
why:

> their is a patch that doesn't work and it seems like nobody proved
> the patch after it was applied for the first time.

but give me at least one argument why these acts cannot combine with
a *temporary* fix uploaded to the so-called "security archives".

> With this I'm falling back to another topic: Is the way of keeping
> exploit code behind bars realy good for the admin without the
> special coding skills or just new stones in the proccess of running
> a secure server?

exactly my point. debian's the "hacker OS", but it's also damn good.
so why not take little steps such as this and keep it that way even
for the ones that don't spend 20 hours a day in front of a computer
and know assembler backwards...

> Just my personal thoughts about your flames with Wichert.

they really weren't intended to be flames. i am sorry if they felt
that way. i am really just trying to be concise since i don't have
much more to say than i did.

-- 
martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
  
"we should have a volleyballocracy.
 we elect a six-pack of presidents.
 each one serves until they screw up,
 at which point they rotate."
                                                      -- dennis miller

Attachment: pgpFBQGCHk_Gf.pgp
Description: PGP signature


Reply to: