[thelist] News Item: Major Security Flaw in CVS

Boris Mann boris at bmannconsulting.com
Fri Jan 24 08:32:01 CST 2003


But of course, everyone knew that telnet is *inherently insecure*, so
never used it for anything mission critical.

<tip type="Security" author="Boris Mann">
Both telnet and FTP send passwords in the clear. Telnet is easily
replaced by SSH (and for the most part has been), but FTP is  a little
harder to wean yourself from.

WebDAV is a nice replacement, as are various flavours of SSL-protected
FTP.
</tip>

--
Boris Mann
http://www.bmannconsulting.com

On Friday, January 24, 2003, at 05:07 AM, Jason Handby wrote:

>> We could go on and on debating the various merits of both open source
>> and commercial software, but when it comes to overall product security
>> and the speed at which vulnerabilities are repaired, OSS has the
>> commercial world beat by a long shot. Remote exploits go unfixed for
>> *months* in the world of big, expensive applications. Rarely (if ever)
>> is that the case with OSS.
>
> The famous exception, of course, being the vulnerability in all
> BSD-derived
> versions of telnetd (the UNIX/Linux telnet daemon). This buffer
> overrun had
> existed for years before anyone noticed it was there.
>
>   http://www.cert.org/advisories/CA-2001-21.html
>
> I wonder if that points up a weakness with the open-source code review
> process: people only spend time looking at code that's cutting-edge or
> "sexy", and telnetd clearly isn't sexy... At Microsoft (for example)
> programmers don't revisit and re-examine code because it's sexy; they
> do it
> because they're paid to. This might mean it's not done as thoroughly
> or as
> fast in many cases, but perhaps it guarantees that it's actually done
> at
> all!
>
> Jason
>




More information about the thelist mailing list