Many thanks for providing me an opportunity to respond to the recent DoS issue reported to Bugtraq. First, let me say that a hotfix for all our MDaemon/WorldClient Standard customers is available here: http://www.mdaemon.com/helpdesk/hotfix.htm and has been available since the very day the problem was brought to our attention (which was Thanksgiving day I think). This hotfix is for MDaemon 2.8.5.0 and higher. A hotfix for WorldClient Pro is available here: http://www.worldclient.com/helpdesk/hotfix.cfm 11/30/99 we will release full patches for both products. Another issue related to 350 simultaneous MDConfig connections has recently surfaced at ASCII Japan. MDaemon can be configured to allow secure MDConfig connections which will prevent this problem from ever occurring. This can be done now, however the 11/30/99 full patch will contain additional coding to prevent such a problem from occuring in the event that the system admin has left the port wide open for anyone to exploit. I am a strong supporter in what groups like Bugtraq and NTBugtraq are doing and I believe that freely sharing information on security issues is good for the consumer and good for the software industry as a whole. However, I deplore the methods that 'USSRLabs' and others employ to this end. Their statement that they have 'contacted the vendor' is patently false. No one in our organization was contacted. I'm certain I speak for many software vendors when I say that groups like 'USSRLabs' are not really taken seriously. Their practices seem to be motivated by a lust for self aggrandizement rather than a genuine interest in software quality. The fact is, no one cares (or even remembers) who discovers a problem with some piece of software. The only thing the consumer cares about is getting the problem fixed. I'm proud to say that Alt-N has a reputation for quickly fixing any and all such problems and I'm very proud that over our 4 1/2 year history only two such problems (counting this one) have ever been discovered. In conclusion, we found out about this particular issue the same way everyone else did - via a mailing list post. But that's ok with us because the relationship we have with our customers is such that we do not hide our mistakes from them. We are not ashamed of problems because we don't consider ourselves to be gods who are above human error. The relationship we have with our customers is not built upon a 'no mistakes' expectation. Rather, it is founded on a history of providing solutions to problems, no matter how large or small, with a promptness that only small companies like ours can provide. For the sake of our customers, not our reputation, it is unfortunate that we were not contacted earlier as the 'USSRLabs' report falsely claims to be the case. Arvel Hathcock Alt-N Technologies - http://www.altn.com ---------------------------------------- MDaemon - http://www.mdaemon.com RelayFax - http://www.relayfax.com WorldClient - http://www.worldclient.com ----------------------------------------
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:15:11 PDT