Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sendmail Bug Tests US Dept Homeland Security

Posted by CmdrTaco on from the not-to-mention-sysadmins-everywhere dept.

yanestra writes "CNET reports that the reported Sendmail bug has been a test for the US Department of Homeland Security which seems to have managed information flow in this case."

8 of 293 comments (clear)

  1. bleh by Joe+the+Lesser · · Score: 5, Insightful

    While keeping news of the issue from leaking to those who might exploit the vulnerability.

    Free flow of information > Security

    --
    "I only speak the truth"
    Karma: null(Mostly affected by an unassigned variable)
  2. So what? by da3dAlus · · Score: 5, Insightful

    Are they saying that this worked perfectly? If so, what about the next exploit? What if Joe Nobody finds a hole, and makes it public before the DHS gets with the makers of the software? What about the businesses in the private sector that fail to patch their systems? Wasn't the fix for SQL Slammer out for months? I'm sure this is a step in the right direction, but really, what happens next time?

    --

    Sometimes I doubt your commitment to Sparkle Motion.
  3. Sendmail - too flexible for most by linuxkrn · · Score: 5, Insightful

    Sendmail is a very flexible mail package...too flexible for most people.

    It's power and configuration settings make it a good choice for admins who have taken the time to read on it. However, more often then not we find that there are a lot of lazy admins out there who just get it "up and running" and don't care to understand the security issues with the server. While I've used sendmail for years in the past, but now use postfix. There are a slew of other mail programs out there that can be configured without having to use m4 rules, understand sendmail's rewrite metods etc. I would suggest that if you must have a mail server up, but don't want to take the time to learn sendmail, PLEASE, use something else. I realize this is a little off-topic but it's not too much. It all boils down to securing the net. That takes more then a few bug fixes (and YES you must apply all of them) and a good admin to configure the server/services.

  4. Improved policy? by Jeppe+Salvesen · · Score: 5, Insightful

    Wouldn't it be best to issue a statement like "sendmail has an exploitable vulnerability, we recommend that you switch to your standby alternate mail system until we release a fix"? There is no way that blackhats would figure out where to look from a statement like that, and those of us with really good security could switch to our exim-based solution if we really feared to be hacked. Basically, do we trust the homeland security dept to determine our security policy?

    That being said, good to see a well coordinated patch release. I just wish the paranoids would get advance warning.

    --

    Stop the brainwash

  5. Re:Encouraging by ecalkin · · Score: 5, Insightful

    sadly, i don't see the 'force people to fix security holes' where we need it.

    we have (mostly) good timing getting patches out (even ms gets patches out), but getting end users to *apply* the patches has been a problem. lack of knowledge, time, technical skills, etc.

    at this point, this does seem to be addressed.

    how do we (ahum) fix the end user? my belief is that it should be required that end users have staff/contractors that are certified on their stuff *and* that hey maintain a maintenance log that documents actions or lack of them. if you look at radio stations and the requirements they include licensed radio engineers and logs and other must-dos and must-haves.

    it's time people understood that being connected to everyone else requires a little bit more work.

    eric

  6. DHS versus Early Disclosure by mcgroarty · · Score: 5, Insightful
    If I've got a vulnerable service running on on of my systems, I'd rather know about it right away so I can make the decision as to whether I want to keep it running or temporarily deploy an alternate service.

    I liked the handling of ssh's problems last year much better. "Heads up, there's a problem in these versions. We'll let you know exactly what after we get the patch out." It's not enough to give a hacker a reasonable foot up, but it gets the service off the network should anyone already be quietly taking advantage of the weakness.

  7. Re: Dept. of Homeland Security by Black+Parrot · · Score: 5, Insightful


    > Speaking of the Dept. of Homeland Security, here's an link [democratic...ground.org] to an article with some suggestions to Tom Ridge on how to improve his department, so that it actually keeps the citizenry well-informed and aware of possible terrorist threats and how to handle them (as opposed to keeping them scared and in an information blackout).

    You're making a mighty big assumption about what the DoHS was created for.

    --
    Sheesh, evil *and* a jerk. -- Jade
  8. Publicity keeps vendors honest by Anonymous Coward · · Score: 5, Insightful

    Does anybody else find it disturbing that "good security" is being equated with "keeping exploits quiet"?

    It's precisely the threat of publicity that pressures vendors into patching their compromised software quickly. If that threat is relieved, by Official KeepYerDamnMouthShut Orders from a government body, those same vendors may start to think "Phew, now we can wait for the next upgrade".

    This is Not a Good Thing.