Re: freebsd - Re: recommended Virus Scanner?
On Sat, Nov 29, 2003 at 04:41:47AM -0800, Tom wrote:
> > Bernstein pays $500 for each verifiable security hole in qmail.
> > Following the same premise as for Knuth, you should find this a
> > similarly lucrative opportunity. You might find the page detailing this
> > offer of interest:
>
> Touche. (I'm smiling).
>
> I do not believe I will ever collect a check from either man.
>
> However, I firmly believe each will write another check.
Here's the guys page:
My offer still stands. Nobody has found any security holes in qmail.
Of course, ``security hole in qmail'' does not include problems outside
of qmail: for example, NFS security problems, TCP/IP security problems,
DNS security problems, bugs in scripts run from .forward files, and
operating system bugs generally. It's silly to blame a problem on qmail
if the system was already vulnerable before qmail was installed! I also
specifically disallowed denial-of-service attacks: they are present in
every MTA, widely documented, and very hard to fix without a massive
overhaul of several major protocols. (UNIX does offer some tools to
prevent local denial-of-service attacks; see my resource exhaustion page
for more information. See also my page responding to Wietse Venema's
slander.)
//
Does it matter very much if qmail is secure if the author feels
compelled to write about the dozens of security problems real people
actually encounter?
That's the nature of 'xploits: they always hit you where you aren't
looking.
Reply to: