MajorDomo

Albert P Tobey albert.tobey at priority-health.com
Wed Oct 10 16:11:16 CDT 2001


On Tue, 2001-10-09 at 08:06, matthew_heusser at mcgraw-hill.com wrote:
> 
> So, here's the theoretical question of the hour:
> 
>   You walk into a meeting about List-Serv management software,
> someone throws out the number "We will pay around $1,500."
> 
>   You respond "uh, dude, MajorDomo is Free."
> 
>   Which begs the questions "But we'd have to recompile it and
> port it to Win32."
> 
>   "Well, uh, like, no.  For $1,500 we could buy a linux box and just
> like, run it and stuff.  For $750 we could do that."
> 
>   "But we don't do UNIX."
> 
>   "So we could rent space somewhere for $10/month and run a list-serv."
> 
>   "We don't do off-site hosting."
> 
>   "But it's not web-hosting, and other division out-source thier list-services;
> that's why we need to get our own."
> 
>   "We'd have to re-compile it."
> 
>   "Well, uh, no, MajorDomo is a Perl script."
> 
>   "If it's open source, we'd have to look at the code."
> 
>   "Well, not really, and it's in Perl, which is one of our core competencies."
> 
>   "MajorDomo has security holes."
> 
>   "Really?  It's been around for years.  Everybody uses it.  A search on
> Yahoo for 'Security Majordomo' lists a few common problems, but those
> are really just problems for administrators that fail to perform due diligence.
> Majordomo is relatively secure"
> 
>   "No.  It's got all kinds of security holes."
> 
>   "Is this proof by repeated assertion, or just Fear, Uncertainty, and Doubt?
> (FUD) - I can never tell those two apart ... "
> 
>   -- So, all that said, hypthetically, where would you take this discussion?
> (And keep it civil ...)
> 
> regards,
> 
> Matt H.
> 
  Quote Bruce Schneider or any other well-known security expert - they
all agree that open standards and open source are, by design, more
secure because security problems can be quickly spotted and fixed by the
community.  Also, see my signature at the end of this message.  Its a
quote from a whitepaper that Microsoft published - This is the full
context, but Microsoft just didn't seem to 'get it' when they published
the paper.
  Also, most of the security holes they're referring to (you might also
call them on it and ask which holes they're talking about) are old
sendmail hacks that, also, have been fixed for ages.   Make sure they
can cite specific examples of holes from Bugtraq or the like.
  Another important point to make is that any other mailing list
software out there is going to seem rare compared to Majordomo.  The
fact that Majordomo is ubiquitous makes it more prone to having bugs
discovered (and subsequently fixed) than any of the other software
available.  How can I find security holes in company XXXYYYZZZ's
software if there aren't any installations in the wild to hack?  It is
considerably easier to find holes in a list if you're on the list also,
and I'd wager that most of the $1500 software based lists have a fairly
select member list and don't advertise themselves.

But really, my favorite way to solve this dilemma is to scream
obscenities and beat people with large cardboard shipping tubes until
they see things my way.  "My way or ER stay"

-Al Tobey
-- 
 "Open source" means that anyone can get a copy of the source code.
Developers can find security weaknesses very easily with Linux.
The same is not true with Microsoft Windows.

Microsoft, "What Every Retailer Should Know", February 2001



********************************************************************
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity
to whom they are addressed.  If you have received this 
email in error please notify the Priority Health Information
Services Department at (616) 942-0954.
********************************************************************



More information about the grand-rapids-pm-list mailing list