OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: qmail, from bugtraq
From: Dylan Griffiths (Dylan_Gbigfoot.com)
Date: Mon Feb 07 2000 - 18:53:22 CST

"D. J. Bernstein" wrote:
> Wietse Venema writes:
> > I installed qmail as per author instructions and ran my machines
> > out of swap with a trivial exploit.
>
> That's because you neglected to use the tools that your system provides
> to allocate your resources.
[snip]
> Of course, as a fraudulent marketing stunt, you carefully wrote _your_
> attack programs so that they would only work after qmail was installed.
> But security is defined by what _can_ be done, not by what _you_ did.

If a program can defend against any kind of purposefully or randomly
mallformed input data, it should (1). Every first year programming student
should be taught this in their design phase. As a programmer, you are
designing the logic of your programs. If your logic is sound, your programs
should function well even in adverse conditions. The only problems you
aren't able to protect against are hardware problems (2), thus you should
focus on checking data.

If I am a website CGI program, does the author assume that the cookie hasn't
been tampered with on some other site? It shouldn't -- yet many do (see
recent CERT advisories and discussions on bugtraq). Never, ever trust the
client. This is a strict policy for any system deemed to be anywhere *near*
secure. To not do your best to ensure security is to be remiss in your
design of your programs. Do you trust your own home LAN? I don't, even
though I can see the hub and yank any ethernet at will. If someone manages
to breach my firewall by any means (3), they would not get much (except my
public browsing habits) as I trust my LAN about as much as I trust the
internet (that is, not at all). Again, you must never ever assume you are
handed valid data, and always do your best to secure it via whatever means
neccessary.

You, the author, have neglected to use the tools available to you (via POSIX
APIs) to be sure your system, which you have the best understanding of, does
not exceed rational limits. To say your program is not at fault is akin to
saying that your bathroom door lock is quite secure, despite the fact that a
toothpick inserted in will open it, because it is assumed the main house
door will be locked. Your responsbility is to provide as much security at
each and every possible level. Your responsibility is not to chew out users
because they are not perfect (4). Based on your own arguments, too, I could
say that any competent admin should avoid Qmail as it does not use every
tool available to it to be sure of a secure the system.

In closing, this does seem to be an issue more of you not liking our
friendly neighbourhood Venema. Qmail, I'm sure, is a fine setup. From what
I've read of it, it does have a well thought out design -- although I do not
see the need for change (Wieste has proved that, except for the true bugs,
the current sendmail standards can be robust when implemented carefully).
If you wish to flame him, I ask that you have the decency to do so in
private. Doing so in public marks you as an immature individual, even if
you did not intend it that way (5). Have a nice life.

(1) This is the principle of robust programming. Handling ALL possible
error situations as well as possible, and constructively failing in a manner
that will not lose data, while alerting the end user to the situation. Just
because your program is told to open a file and it fails, doesn't mean it
has to coredump.

(2) This is why Wieste, in his wisdom, asks that people use things such as
ECC memory in mission critical systems. It is the best way to check for
hardware problems, and quickly diagnose them.

(3) For the same reason you encrypt data on the local network and on the
internet, you should have locks on the entry ways and exits, and to the
server room as both physical and software attacks are quite possible, if not
expected in the course of the day. So a secure software setup does nothing
if your server is in an unlocked shack.

(4) Although, to be fair, Wieste has told people to RTFM in not so many
words before ;-)

(5) Hey, we've all said things we've regretted or that are easy to
misinterprett before. I know *I* have. :-) 

-- 
Hi! I'm a .signature virus! Copy me into your ~/.signature to help me
spread!