the system-specific suggestions that
people have sent to me. Further contributions are welcome.
---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago
done anyway. Typical
picture-generating programs can be isolated in the same way.
---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago
P.S. It's hard for a portable chroot tool to cut off a program's network
access
client libraries really
can be protected by the BINDv9 cache (or by dnscache). But I haven't
seen the analysis necessary to justify this claim. At this point it
isn't even clear whether the BIND company is making that claim.
---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics
The FTP specification doesn't require servers to support .. and *. In
fact, it doesn't even mention .. and *. Naturally, publicfile's ftpd
treats * as just another character, and converts . to : after slashes.
FTP does, however, include an NLST command that lists all files in the
current
Dan Harkless writes:
Theo de Raadt just informed me via email that OpenBSD fixed their identd to
only report SS_CONNECTOUT sockets in 1996.
The MTA and the FTP server and many other daemons will make outgoing TCP
connections upon request. This bogus ``fix'' does not achieve the stated
goal of
Would you trust *.com DNS information from a computer that's running
BIND 8.2.1 and Sendmail 8.8.5 today, sitting on an open network in the
electrical engineering department at a large Australian university?
``Of course not,'' you say. ``Top-level DNS servers can't use versions
of BIND with
This ``qmail-pop3d security advisory'' is fraudulent. There are no
security problems in the qmail package.
There are some serious security problems in the vpopmail/vchkpw package.
But vpopmail/vchkpw is not part of qmail. I didn't write it. I haven't
reviewed it. I don't distribute it. I don't
Let's say an attacker wants to intercept your ``secure'' transactions
with hugebank.com. Here's what happens:
(1) The attacker obtains two IP addresses, say 1.2.3.4 and 9.8.7.6.
He also obtains a domain name, say secure-banking.dom.
(2) The attacker sets up a DNS record for
Gary Gaskell says that an attacker shouldn't be able to get a
certificate for ``HugeBank Secure Banking.''
Why not? Do you think that the only HugeBank in the world is the one
that you have an account with? What if you're trying to communicate
securely with ``Joe's Auto Parts,'' or (to take a
