At 11:33 AM 2003-02-07 -1000, Vince Sabio wrote:
** Sometime around 15:06 -0500 02/07/2003, Nick Simicich sent everyone:
You know, I have another alert: You might have meant for no one to sign
up for this list, but the default is to let people sign up! The most
restrictive defaults should be picked in all cases, of course, so the
default should be to not let people sign up! And to not let people use
the list at all! And to restrict all English words from being in a
posting, because if people are allowed to use language in mailing list
postings, they could accidentally give away secrets!
I agree with your overall assessment that the "security alert" is B.S.
However, default settings should be reasonable.
And, they made the false claim that the vendor had agreed and released
patches for Mj1, when the patches were actually created by the
reporter. As to whether or not Mj2 agreed, I think that they did, only to
shut the reporter up. I would argue that was a bad tactic.
Again, Majordomo has not been updated for quite a while - the last update
was done when there was an actual vulnerability in the package, which was
some time ago. People have released patches, but that is not germane to the
code base. Anyone applying source patches is also likely to read the doc.
The patch released by the reporter will not be incorporated into any code
bases, as I believe that the license on the code prohibits releasing
For example, setting defaults so that no one can sign up for a new list
is arguably not particularly useful in most cases ; OTOH, defaulting
which_access to closed/list/private/something-anything other than "open"
is probably smarter than defaulting it to open.
I agree. However, my point is that the real alert is "read the
manual". And my point is that I agree, you should read the manual, and
that the defaults may not be appropriate no matter what they are set to.
Other comments still apply, including RTFM/RTFDOC when setting up a server
of any sort. And as we all know, sysadmins have nothing but time on their
And if they do not have the time, and they still try to do the job, guess
what: They are likely to configure systems incorrectly and leave all sorts
of holes and they will be a lot more damaging than the release of
SPAM: Trademark for spiced, chopped ham manufactured by Hormel.
spam: Unsolicited, Bulk E-mail, where e-mail can be interpreted generally
to mean electronic messages designed to be read by an individual, and it
can include Usenet, SMS, AIM, etc. But if it is not all three of
Unsolicited, Bulk, and E-mail, it simply is not spam. Misusing the term
plays into the hands of the spammers, since it causes confusion, and
spammers thrive on confusion. Spam is not speech, it is an action, like
theft, or vandalism. If you were not confused, would you patronize a spammer?
Nick Simicich - njs @
com - http://scifi.squawk.com/njs.html
Stop by and light up the world!