[ntp:questions] Re: Taming the pinball machine
maarten at kittensandcats.net
Thu Nov 13 13:07:11 UTC 2003
> "David L. Mills" <mills at udel.edu> wrote in message
news:3FB26AF5.34A18351 at udel.edu...
> I am neither defending or denigrating our sysadmin paranoia, but I
> do observe security issues seriously bog down the staff from more
> productive effort. [...]
>From mingling with sysadmins, I have been convinced that paranoia is
a good thing in them. What I was trying to say was, this policy is
inevitably going to end in withdrawal of FTP support anyway. Better
do that right now if FTP is a threat and alternatives are available.
The same paranoia would ask if the alternative is any better.
> Case in point. Awhile back some dude found a stack threat in ntpd,
> which is not surprising considering its age. However, I was astonished
> at the hyper level of brute anger directed at the programmers. The
> gaffe was considered a threat to the infrastructure and integrity of
> the Internet universe and to prolong the gaffe even one microsecond
> was unforgiveable. The CERT was literally raining on me. After a few
> days of analysis I found much of the threat was overinflated and the
> example program reputed to expose the problem was in every way bogus.
> You get a few of these things in any month and it's easy to become
> acutely paranoid.
An exploitable stack overflow _is_ a threat, and it's CERT's job to
be paranoid, too, and get vulnerabilities fixed as quick as humanly
possible. And humanely possible, which they may sometimes forget as
it mixes badly with the paranoid part. Please keep in mind that you
both have valuable contributions to make to the Internet community,
and I can only hope that so will they. The bad guys are yet other
More information about the questions