Date: Mon, 18 Jan 2010 15:12:24 +0100 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> To: Phil Oleson <oz@nixil.net> Cc: freebsd-security@freebsd.org Subject: Re: sendmail 8.14.4 Message-ID: <86pr5733jr.fsf@ds4.des.no> In-Reply-To: <4B50FF48.2070801@nixil.net> (Phil Oleson's message of "Fri, 15 Jan 2010 16:50:32 -0700") References: <4B50FF48.2070801@nixil.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Phil Oleson <oz@nixil.net> writes: > [...] a customers PCI scan is reporting this as a problem. I know > many of these scans tend to do version string checks and don't > actually check if the problem is possible to exploit, [...] It's much, much worse: the vulnerability lists used in these tools are usually generated by blindly concatenating the contents of various online vulnerability databases, with little or no quality control. Pretty much anyone and his dog can issue an advisory - just write something plausible-sounding and post it on bugtraq, and it will end up in a database somewhere, and eventually trickle down to one or more vulnerability scanners, even if nobody can reproduce it, and before you know it somebody has to make a public statement like this: http://maycontaintracesofbolts.blogspot.com/2008/07/old-history.html although it won't do much good, because the people who write those scanners don't give a shit as long as they get their money and / or fame. It is MHO that most "security experts" associated with "the end of the Internet is nigh, film at 11" press reports are frauds and narcissistic media whores. Unfortunately, journalists don't understand the tech and are too clueless and / or pressed for time to seek confirmation or clarification from reliable sources, so you end up with hagiographies like this: http://www.seattlepi.com/local/373426_insecure04.html Google has ~10k hits for "+Kaminsky +saved +the +Internet". Food for thought. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86pr5733jr.fsf>