On Tue, 2004-01-27 at 17:48, Don Seiler wrote:
> On Tue, Jan 27, 2004 at 03:05:21PM -0800, AthlonRob wrote:
> > Please don't top-post, it just plain sucks...
> My email etiquette is the least of my worries. Thanks for caring
Well, hopefully a few bugs in gaim isn't the greatest of your worries,
> I agree about the root thing, but saying that damage "will not be so
> huge" is like saying that cutting off your pinky doesn't matter because
> the damage will not be so huge. You'll still probably have total
> functionality of your hand, but I'm sure you'd rather not go through
> the process of cutting off your pinky and recovering from it.
If you wish to use physical situations as similes, I'm game. I would
say using gaim in its current form, with these bugs, is hardly like
cutting off your pinky. Any data lost would likely be replaced from
backups or recreated readily. I would say the damage potentially done
is about like cutting yourself while cooking; sure it hurts for a few
minutes, maybe bleeds a little bit, but you're fine within a few hours.
I would have to say using gaim is far safer than cutting a potato... or
a bagel. Did you know slicing bagels is about *the* most dangerous
thing you can do in a kitchen?
> Yes it is assuming and the security focus group has proof of concept
> code to do it. I don't experience that many gaim crashes, maybe 2 or 3
> a week. Just because gaim crashes for me now means I shouldn't care
> that now someone else can crash it on demand?
Care a about it, sure. But is it really all that bad? Nobody else has
figured out how to do this, so the problem doesn't actually exist, does
it? Until somebody figures out how to crash gaim, then they identify
people who use gaim they wish to crash, then get in position to do it,
who really gives a damn, anyway?
> Yes I can. The fact that someone can do anything uninvited and
> unwelcome on my machine is a serious security flaw. Are you a Windows
> user that you somehow think remote exploits are just a fact of life that
> we should learn to live with?
Remote exploits *are* a fact of life, regardless of the OS you happen to
be using. In Windows, they are utilized frequently to do harm. In
Linux, not so much. They're found frequently, and patched frequently.
Usually in fairly old code... so you lived with the exploit being there
for a long time, you just didn't know you were living like that.
*If* the exploit is not being utilized (and this one is not) *and* it is
minor (they are hardly going to be able to root your box with this),
*and* fixes are available for those who are really interested, I think
there is not a huge problem.
If you feel this strongly about security on a system, you probably
shouldn't be using any X application at all. You probably shouldn't
even be using Linux... OpenBSD is probably more up your alley.
> I'm not speaking in relative terms. Just because gaim isn't spreading
> the Melissa virus around doesn't mean we shouldn't worry about it. As I
> said before, the fact that someone with enough motivation can do
> something that I don't want them to on my machine is a _serious_
> security flaw. Keep telling yourself otherwise if it makes you feel
> more comfortable.
I'd rather not make mountains out of mole hills, myself... :-)