At 11:33 AM 2003-02-07 -1000, Vince Sabio wrote:
>** Sometime around 15:06 -0500 02/07/2003, Nick Simicich sent everyone:
>
>>You know, I have another alert: You might have meant for no one to sign
>>up for this list, but the default is to let people sign up! The most
>>restrictive defaults should be picked in all cases, of course, so the
>>default should be to not let people sign up! And to not let people use
>>the list at all! And to restrict all English words from being in a
>>posting, because if people are allowed to use language in mailing list
>>postings, they could accidentally give away secrets!
>
>Nick,
>
>I agree with your overall assessment that the "security alert" is B.S.
>However, default settings should be reasonable.
And, they made the false claim that the vendor had agreed and released
patches for Mj1, when the patches were actually created by the
reporter. As to whether or not Mj2 agreed, I think that they did, only to
shut the reporter up. I would argue that was a bad tactic.
Again, Majordomo has not been updated for quite a while - the last update
was done when there was an actual vulnerability in the package, which was
some time ago. People have released patches, but that is not germane to the
code base. Anyone applying source patches is also likely to read the doc.
The patch released by the reporter will not be incorporated into any code
bases, as I believe that the license on the code prohibits releasing
modified versions.
> For example, setting defaults so that no one can sign up for a new list
> is arguably not particularly useful in most cases [1]; OTOH, defaulting
> which_access to closed/list/private/something-anything other than "open"
> is probably smarter than defaulting it to open.
I agree. However, my point is that the real alert is "read the
manual". And my point is that I agree, you should read the manual, and
that the defaults may not be appropriate no matter what they are set to.
>Other comments still apply, including RTFM/RTFDOC when setting up a server
>of any sort. And as we all know, sysadmins have nothing but time on their
>hands... ;-)
And if they do not have the time, and they still try to do the job, guess
what: They are likely to configure systems incorrectly and leave all sorts
of holes and they will be a lot more damaging than the release of
subscriber lists.
--
SPAM: Trademark for spiced, chopped ham manufactured by Hormel.
spam: Unsolicited, Bulk E-mail, where e-mail can be interpreted generally
to mean electronic messages designed to be read by an individual, and it
can include Usenet, SMS, AIM, etc. But if it is not all three of
Unsolicited, Bulk, and E-mail, it simply is not spam. Misusing the term
plays into the hands of the spammers, since it causes confusion, and
spammers thrive on confusion. Spam is not speech, it is an action, like
theft, or vandalism. If you were not confused, would you patronize a spammer?
Nick Simicich - njs@scifi.squawk.com - http://scifi.squawk.com/njs.html
Stop by and light up the world!
References:
|
|
