« Cebit | Main | How far is FAR 1.70? Well, it's right here, right now! »
March 29, 2006
About Sendmail, IE and other infinte things
Motto: "Two things are infinite: the universe and human stupidity; and I'm not sure about the universe." - Albert Einstein
From a certain point of view, Sendmail and Internet Explorer are two very similar products. They both have a long history of critical bugs and despite these, people keep using them.
One can argue that people are lazy and there is also this mentality supporting the "if it's not broken, why fix it" concept. For IE, spyware kind of changed that - I think it's hard to get infected with a downloader which pops up a message advertising SpyAxe every next minute and not notice it. In the case of sendmail, it's all about the sysadmin and his ability to notice abnormal behavior.
Of course, there is also the "needed" factor. For instance, my bank requires any user to fire IE in order to be able to e-banking. In theory, they aren't relying on any IE-specific feature, but one of the programmers put a couple of java script code which doesn't run well on anything else than IE. The same is true for sendmail - there are lots of expensive mainframes out there which have been designed to run sendmail. By some curious coincidence, they are mostly use in financial institutions.
That makes you wonder: if the people taking care of your money rely on two of the buggiest technologies that have ever been created, IE and sendmail, what is the chance that the rest of the system is just as bad? Or, fingers crossed, even worse?
Posted by Costin Raiu at March 29, 2006 10:34 PM
Comments
I would argue that the comparison is not very accurate. Sendmail is free, open source software. Any technically-inclined user who wishes to do so can fix a bug. You can also run Sendmail in a BSD jail, or on SELinux, or use some other kind of restricted environment if you're not satisfied with the level of security that the default install provides. So the problem then is not about who's running Sendmail, but rather how one is using it.
And what mainframe has been "designed to use sendmail"? I couldn't find one on Google. Granted, they're trying to port Sendmail to all kinds of hardware (including, I suppose, mainframes). But what mainframe has been designed with Sendmail in mind?
Posted by: rc 
at March 30, 2006 12:50 PM
The ability to fix a bug is a good thing but given the right skills the source is not mandatory. Just look at the current 0-day IE vulnerability patches from eEye (1) and Determina (2), or the past fix for the WMF vulnerability from Ilfak (3). So in the end, it's only a question of skills - even if the number of people who can patch an open source project is probably higher than the number of people who can write on-the-fly patches for IE.
However, I'm not that sure that open source helps much three days after you've been hacked, backdoored and got all the data from your server stolen through a product that you could have, in theory, patched by yourself.
I for instance, will stay away from products with a long and infamous history of bugs, in our case, sendmail and IE. No matter how open or closed source they are.
1. http://www.eeye.com/html/research/alerts/AL20060324.html
2. http://www.determina.com/security_center/security_advisories/securityadvisory_march272006_1.asp
3. http://www.hexblog.com/2005/12/wmf_vuln.html
Posted by: Costin Raiu at March 30, 2006 6:29 PM