[thelist] News Item: Major Security Flaw in CVS

Rob Whitener rwhitener at DesignOptions.com
Fri Jan 24 09:05:04 CST 2003


sftp is a secure file transfer that runs on top of ssh.  I think.  Check the
man pages.

Rob

-----Original Message-----
From: Boris Mann [mailto:boris at bmannconsulting.com]
Sent: Friday, January 24, 2003 9:31 AM
To: thelist at lists.evolt.org
Subject: Re: [thelist] News Item: Major Security Flaw in CVS


But of course, everyone knew that telnet is *inherently insecure*, so
never used it for anything mission critical.

<tip type="Security" author="Boris Mann">
Both telnet and FTP send passwords in the clear. Telnet is easily
replaced by SSH (and for the most part has been), but FTP is  a little
harder to wean yourself from.

WebDAV is a nice replacement, as are various flavours of SSL-protected
FTP.
</tip>

--
Boris Mann
http://www.bmannconsulting.com

On Friday, January 24, 2003, at 05:07 AM, Jason Handby wrote:

>> We could go on and on debating the various merits of both open source
>> and commercial software, but when it comes to overall product security
>> and the speed at which vulnerabilities are repaired, OSS has the
>> commercial world beat by a long shot. Remote exploits go unfixed for
>> *months* in the world of big, expensive applications. Rarely (if ever)
>> is that the case with OSS.
>
> The famous exception, of course, being the vulnerability in all
> BSD-derived
> versions of telnetd (the UNIX/Linux telnet daemon). This buffer
> overrun had
> existed for years before anyone noticed it was there.
>
>   http://www.cert.org/advisories/CA-2001-21.html
>
> I wonder if that points up a weakness with the open-source code review
> process: people only spend time looking at code that's cutting-edge or
> "sexy", and telnetd clearly isn't sexy... At Microsoft (for example)
> programmers don't revisit and re-examine code because it's sexy; they
> do it
> because they're paid to. This might mean it's not done as thoroughly
> or as
> fast in many cases, but perhaps it guarantees that it's actually done
> at
> all!
>
> Jason
>

--
* * Please support the community that supports you.  * *
http://evolt.org/help_support_evolt/

For unsubscribe and other options, including the Tip Harvester
and archives of thelist go to: http://lists.evolt.org
Workers of the Web, evolt !



More information about the thelist mailing list