Received: from localhost by CS.UTK.EDU with SMTP (cf v2.9s-UTK)
	id NAA13376; Wed, 20 Mar 1996 13:32:43 -0500
Received: by CS.UTK.EDU (bulk_mailer v1.4); Wed, 20 Mar 1996 13:32:23 -0500
Received: from ng.netgate.net by CS.UTK.EDU with ESMTP (cf v2.9s-UTK)
	id NAA13338; Wed, 20 Mar 1996 13:32:17 -0500
Received: from [205.214.160.38] (d6.netgate.net [205.214.160.38]) by ng.netgate.net (8.6.12/8.6.9) with ESMTP id KAA13250 for <drums@cs.utk.edu>; Wed, 20 Mar 1996 10:41:54 -0800
X-Sender: dcrocker@ng.netgate.net
Message-Id: <v03005613ad75f9718451@[205.214.160.62]>
In-Reply-To: <19960320173628.446.qmail@koobera.math.uic.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 20 Mar 1996 10:10:44 -0800
To: drums@cs.utk.edu
From: Dave Crocker <dcrocker@brandenburg.com>
Subject: Re: msg-id

Dan,

At 9:36 AM 3/20/96, D. J. Bernstein wrote:
>> > Your style of program design has been demonstrated to lead to security
>> > holes.
>> I be interested in specifics on this
>
>``Least privilege.'' Code should not execute with more privilege than it
>needs. Three of the last seven sendmail security holes would have been
>nothing more than core dumps if Eric Allman had followed this principle.

	I was asking about any specific security problems this issue will
introduce.  The principle you cite is fine as a principle -- and I wish
more folks paid attention to it -- but doesn't give a concrete basis for
warning one away from specific features.  What, precisely, is the security
concern for this specific suggestion?

>doesn't matter how ``secure'' your messages are if an attacker takes
>over your machine!

	how will the inclusion of the local host name permit this?

>That's exactly the attitude that creates insecure programs.
>
>You don't always see bugs in advance, but you can give them several
>hurdles to jump before they cause security holes. Adding unnecessary
>code to setuid programs means flattening the hurdles.

	As for myself, I've always believed that the retail business would
be a whole lot less stressful on sales people if we could just find a way
to get rid of all those customers.

	Life is risks.  operational security is a matter of balancing
feature enhancement against potential risks.  If you want perfect security,
write an autistic program.  No security problems at all.  Not much utility
either.  We need a balance, not an absolute adherence to one extreme or the
other.

d/

--------------------
Dave Crocker                                              +1 408 246 8253
Brandenburg Consulting                               fax: +1 408 249 6205
675 Spruce Dr.                                   dcrocker@brandenburg.com
Sunnyvale CA 94086 USA                         http://www.brandenburg.com

Internet Mail Consortium                 http://www.imc.org, info@imc.org