Re: EMERGENCY: new remote root exploit in UW imapd

[jjg () LUCENT COM (Jim Greene)]

> From: Allanah Myles <dossy () PANOPTIC COM>
>
> On 1998.07.20, Brett Lymn <blymn () BAEA COM AU> wrote:
> > A sufficiently determined programmer can write crap code despite the
> > language.
>
> This is the key issue with the inherent security problems.  The
> collolary to this statement is "better tools allow bad programs to
> implement bad designs faster."  Using "better tools" as others seem
> to suggest will *not* gain us any more "security" than we already
> have, if we don't also change the quality of programmers.

You have misread the statement you quoted. It read, "sufficiently
determined", not "incompetent", in reference to programmers. The two types
of programmers are vastly different in abilities, one would imagine. The
correct corollary (not collolary) to this statement would then be "better
tools allow sufficiently determined programmers to implement bad designs
faster". Try and stop a sufficiently determined programmer sometime.

Your statement that better tools will not gain us more security is wrong. To
give a non-technical analogy so you can understand the situation, I will
give three similar sentences. If you cannot see the similarities, you are
sufficiently determined to ignore the issues.

1) The training wheels on a child's bicycle help keep him/her from falling
   down when learning to ride.

2) My 6-foot fence keeps my neighbor's crazy pitbull out of my yard.

3) Bounds checking on array accesses eliminates one class of careless buffer
   overflows.

>          Why in god's name should a mail system require
> system-wide root privilages?  As a normal user, I should be
> able to manipulate my own mailbox.  Why shouldn't the agent
> through which I manipulate my own mailbox run, from start
> to finish, with no more privilages than my own user?

Why ask ridiculous questions? Why invoke melodramatic phrases like "Why in
god's name..." when it is obvious that a remote mail server, working with
UNIX filesystem privileges (not privilages!), _must_ run at an elevated
state in order to access files or at least switch to another user's ID? I
believe you don't understand the very important different between a local
user and a remote user.

>                                    "Tools don't produce bad
> software. Bad designers produce bad designs from which bad
> software is implemented."

You address the bugtraq readers as if they are morons. Please stop.

> In developing new "secure systems," we should spend less time
> *securing* already existing insecure systems, in the hopes
> of deluding ourselves that they have somehow become "secure"
> (when we know we can never prove such a thing).  We should
> instead focus our energies on designing software systems
> where the threat-level is as minimal as possible.

You demand that we have no faith in the systems that many have been working
(with varying levels of success) to secure, and then point over the hill at
the promised land: The Software That Was Designed Correctly. This is the
viewpoint of the theoretical student, the armchair warrior, and the barstool
philosopher. Nothing will ever be perfect. Security is the limit as danger
approaches zero.

>                       [...] why does a tool like "rm"
> exist?  Yes, in the wrong hands, "rm" can be very devastating.
> But, without necessary privilages, the scope of the damage
> is much smaller.  So, design tools that do not require
> unnecessary privilages, and focus on preventing unauthorized
> gain of those privilages.

You argue with one face that to use better tools is ineffective, and then
your other face argues that we should build better tools to use. Which of
your faces is one to believe?

>                                      Well, then, if
> you want a secure system, be prepared to build one---from
> scratch, if need be.

Nihilist, be gone! You may only return with this argument when _you_ have
built the Perfectly Secure System From Scratch.

>                     Perhaps even the existing notion of
> UNIX-based privilages is insufficient for any real
> security - design a better model, and implement it.
> Don't complain about the tools people choose to use,
> as changing those won't improve security, they'll just
> give us new types of security problems to find.
>
> - -Dossy

You have complained and told us not to complain. You have told us all is bad
and we must not use it, but offered nothing that is good. You have told us
to change what we have for security, then told us it is impossible to change
due to security. Your arguments all turn on each other like a pack of rabid
dogs. You offer only confusion and annoyance.

--Jim