This article must adhere to the biographies of living persons (BLP) policy, even if it is not a biography, because it contains material about living persons. Contentious material about living persons that is unsourced or poorly sourced must be removed immediately from the article and its talk page, especially if potentially libellous. If such material is repeatedly inserted, or if you have other concerns, please report the issue to this noticeboard.If you are a subject of this article, or acting on behalf of one, and you need help, please see this help page. |
![]() | This article is rated C-class on Wikipedia's
content assessment scale. It is of interest to the following WikiProjects: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Needs to be added to article: http://cr.yp.to/mac.html
I've added a new Software licensing section to the article. The content is OpenBSD-heavy right now, and is taken from that article since Bernstein played a significant role in a high-profile licensing issue of that project. There may non-OpenBSD content we can include in this section also, but at least this is a start and it's well referenced. -- Ds13 18:52, 10 April 2006 (UTC)
I've restored the section that was deleted describing Bernstein as a "controversial figure". I'm open to seeing it significantly re-written, but the article is pretty incomplete without some mention of the way that he's not scared of controversy and strong words in online discussion. I have to say, though, he is absolutely charming company in person. — ciphergoth 08:13, 29 April 2006 (UTC)
So obviously this is where the POV issue comes from.
Two problems with these grafs: (1) the notion that there has ever been an exploitable bug in qmail is heavily disputed (you'd need to specify a 64-bit arch/os in which qmail installs in a vulnerable configuration), and (2) the weight that this debate puts on qmail security in a biographical article. —Preceding unsigned comment added by Tqbf ( talk • contribs)
Apart from edit history relative to the obscurity of the topic, is there a reason why this article is marked NPOV? —Preceding unsigned comment added by Tqbf ( talk • contribs)
Someone would care to relate these 3? As djb forbids qmail binary releases, either with or without patches, for security reasons, it doesn't seam to me that OS vendors are willing to distribute the qmail sources along with their OS distros. Can someone get some official info on this, with references in this page? -- Netshark 02:07, 11 February 2007 (UTC)
user User:Allansteel asks in his edit summary "(Reinstate section on particular thing about DJB. This time with a source to keep someone happy (sigh!!!). Why do people remove objective stuff and not the vast subjective drivel on wikipedia?)".
why? because we're trying to build an encyclopedia. everything is subjective in some sense or another. what matters on wikipedia is not truth but verifiability. check the edit history, and you'll see the BS that preceded my removal. then you'll have an idea of the context. yes, there's tons of useless drivel on wikipedia. it's a battle between those who love to spew drivel, and those who have to follow along behind the circus elephants with a shovel. the latter is harder work. Anastrophe 03:37, 17 August 2007 (UTC)
http://article.gmane.org/gmane.network.djbdns/13864
This seems like it's the first time in quite a while that DJB has acknowledged a bug in DJBDNS 9and paid his promised reward). How should this be integrated into the article? The DJBDNS article probably needs some alterations too. XenonofArcticus ( talk) 22:00, 4 March 2009 (UTC)
It's a little, err, exaggerated to state that DJB's software has never had a security problem. This isn't true. Qmail has a broken bounce model that allows a random spammer/joe job to mailbomb someone by sending forged email to a known non-existent email address on a Qmail server.
Also, dnscache does not correctly catch the SIGPIPE that it will get when a TCP connection gets an RST packet, causing the program to terminate (and be restarted, if managed by DJB's other tools), which is a denial of service attack.
That in mind, I have reworded his software section to point out his software has not had privilege escalation security problems. Which,may I point out, puts it in the same ballpark as Postfix, BIND 9, my own MaraDNS, etc.
Indeed, Postfix is a good deal more secure than a stock Qmail (no joe jobbing, for example), and both BIND 9 and MaraDNS are more secure than a stock Djbdns (no known DOS attacks in the latest versions, compared to the known DOS attack against Djbdns).
Reference for qmail problems: [3] [4], and a reply from a DJB advocate: [5]. Self-ref for summary of djbdns problems: [6] Samboy 16:38, 19 September 2007 (UTC)
it seems to me that you are too 'close' to these topics to be editing the articles (djb article, and your own maradns article). your advocacy for your own software over other software (and the attitude expressed above in your comments about djb) makes it difficult to assume good faith. Anastrophe 18:44, 20 September 2007 (UTC)
OK, let me back up my "abandonment" quote. I have reworded this as "lack of updates for". Quite frankly, as described in my MaraDNS advocacy document, there are five bugs that DJB should fix with DjbDNS:
I understand a lot of DJB advocates feel that DjbDNS/Qmail are somehow "perfect" and do not need to be upgraded, but, quite frankly, I think it's obvious that DJB needs to fix the above five bugs with djbdns. And, really, the wording before I edited this article was "no functional exploits of any of these programs have been produced"; I revised this to "no privilege escalation exploits of any of these programs have been produced", since, yeah, the SIGPIPE issue seems to be a pretty "functional exploit". Sorry I don't have a working exploit; I will have to do some research with TCP to figure out how to send an RST packet to trigger the SIGPIPE and restart djbdns.
As for my objection to the "memory corruption and remote code execution vulnerabilities (in MaraDNS)" line, "memory corruption" in this case implies an attacker being able to control MaraDNS' memory. The "remote code execution" line is downright FUD, and, after six years of development and real-world use, not true (but if you find this kind of bug, let me know).
As for WP:COI, I agree. This is why I am careful about the MaraDNS edits (note that I asked permission in the corresponding talk page), and why the only edits on this page is to remove what is demonstratively an untrue fact (and getting rid of some negative speculation about DJB's behavior, as per WP:BLP). And, yes, it is hard for me to assume good faith with any DJB advocate: See this blog posting describing some of my unpleasant experiences with DJB advocates. Samboy 19:45, 20 September 2007 (UTC)
Would this [7] be an adequate source placing djb at Bellport High? I don't work on Bio pages much, so wasn't sure what would be required. I attended classes with him there, but I'm assuming that comes under WP:OR. Dstumme ( talk) 21:03, 16 July 2008 (UTC)
Wasn't djb the first one to popularise the idea of SYN Cookies? - http://cr.yp.to/syncookies.html 87.112.66.37 ( talk) 23:10, 13 September 2008 (UTC)
The article had this sentence in it: "Bernstein offers a security guarantee for qmail and djbdns [...] no functioning exploits of any of these programs have been published". Not true, as shown by these sources:
The "no functioning exploits" line was never backed up by a reference, and I have just posted two references showing that djbdns has had security issues that have been exploited. Is there any reason why this article should still have the "no functioning exploits" line? I have revised the line to state that no functioning exploits have been found for qmail. This, in spite of the fact that qmail has the backscatter spam problem, which can very well be considered to be an exploit.
Disclaimer: I am the author of MaraDNS. Samboy ( talk) 14:35, 30 June 2009 (UTC)
"...perhaps current views about how large numbers have to be before they are impractical to factor might be off by a factor of three. Thus as 512-digit RSA was then breakable, then perhaps 1536-bit RSA would be too."
If it's off by a factor of 3, then it would be 514 bit RSA that might be breakable, not 1536. If the intended meaning is that triple the number of bits of encryption could be broken, then it is off by a power of 3, not a factor of 3. Either way, the current wording is wrong. Aleph Infinity ( talk) 17:41, 5 November 2009 (UTC)
I just noticed this issue, and came to the talk page to report it, only to discover it was noticed 5 years ago. The paper linked as citation reports that breaking a 512 bit encryption might result in 1536 bit being broken; therefore I deduce that power of three is in fact what is meant. 81.159.253.79 ( talk) 20:51, 18 July 2014 (UTC)
Really now, how nice it would be if the article stated whether the court's ruling was *for* Bernstein or *against*. If it is "implied" that the ruling was in favor (or against?), well, implied is just not good enough. Toddcs ( talk) 21:00, 27 January 2012 (UTC)
There is a note on the article about the lead section, but there does not seem to be a discussion...
I would like to make clear that Bernstein took on the security industry by writing a number of core applications with minimal bugs that functioned for years with out any known exploits. Thus raising the standard. He was vocal and controversial in his criticism of the status quo which resulted in blow back. The result was that his software was refused distribution by most linux distros whilst relying on it internally and even projects like OpenBSD over his advocacy for licence free software.
RonaldDuncan ( talk) 17:20, 10 February 2017 (UTC)
Discussion concluded, here is the archive link in case it comes up again.
/info/en/?search=Wikipedia:Biographies_of_living_persons/Noticeboard/Archive316#Daniel_J._Bernstein
This article must adhere to the biographies of living persons (BLP) policy, even if it is not a biography, because it contains material about living persons. Contentious material about living persons that is unsourced or poorly sourced must be removed immediately from the article and its talk page, especially if potentially libellous. If such material is repeatedly inserted, or if you have other concerns, please report the issue to this noticeboard.If you are a subject of this article, or acting on behalf of one, and you need help, please see this help page. |
![]() | This article is rated C-class on Wikipedia's
content assessment scale. It is of interest to the following WikiProjects: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Needs to be added to article: http://cr.yp.to/mac.html
I've added a new Software licensing section to the article. The content is OpenBSD-heavy right now, and is taken from that article since Bernstein played a significant role in a high-profile licensing issue of that project. There may non-OpenBSD content we can include in this section also, but at least this is a start and it's well referenced. -- Ds13 18:52, 10 April 2006 (UTC)
I've restored the section that was deleted describing Bernstein as a "controversial figure". I'm open to seeing it significantly re-written, but the article is pretty incomplete without some mention of the way that he's not scared of controversy and strong words in online discussion. I have to say, though, he is absolutely charming company in person. — ciphergoth 08:13, 29 April 2006 (UTC)
So obviously this is where the POV issue comes from.
Two problems with these grafs: (1) the notion that there has ever been an exploitable bug in qmail is heavily disputed (you'd need to specify a 64-bit arch/os in which qmail installs in a vulnerable configuration), and (2) the weight that this debate puts on qmail security in a biographical article. —Preceding unsigned comment added by Tqbf ( talk • contribs)
Apart from edit history relative to the obscurity of the topic, is there a reason why this article is marked NPOV? —Preceding unsigned comment added by Tqbf ( talk • contribs)
Someone would care to relate these 3? As djb forbids qmail binary releases, either with or without patches, for security reasons, it doesn't seam to me that OS vendors are willing to distribute the qmail sources along with their OS distros. Can someone get some official info on this, with references in this page? -- Netshark 02:07, 11 February 2007 (UTC)
user User:Allansteel asks in his edit summary "(Reinstate section on particular thing about DJB. This time with a source to keep someone happy (sigh!!!). Why do people remove objective stuff and not the vast subjective drivel on wikipedia?)".
why? because we're trying to build an encyclopedia. everything is subjective in some sense or another. what matters on wikipedia is not truth but verifiability. check the edit history, and you'll see the BS that preceded my removal. then you'll have an idea of the context. yes, there's tons of useless drivel on wikipedia. it's a battle between those who love to spew drivel, and those who have to follow along behind the circus elephants with a shovel. the latter is harder work. Anastrophe 03:37, 17 August 2007 (UTC)
http://article.gmane.org/gmane.network.djbdns/13864
This seems like it's the first time in quite a while that DJB has acknowledged a bug in DJBDNS 9and paid his promised reward). How should this be integrated into the article? The DJBDNS article probably needs some alterations too. XenonofArcticus ( talk) 22:00, 4 March 2009 (UTC)
It's a little, err, exaggerated to state that DJB's software has never had a security problem. This isn't true. Qmail has a broken bounce model that allows a random spammer/joe job to mailbomb someone by sending forged email to a known non-existent email address on a Qmail server.
Also, dnscache does not correctly catch the SIGPIPE that it will get when a TCP connection gets an RST packet, causing the program to terminate (and be restarted, if managed by DJB's other tools), which is a denial of service attack.
That in mind, I have reworded his software section to point out his software has not had privilege escalation security problems. Which,may I point out, puts it in the same ballpark as Postfix, BIND 9, my own MaraDNS, etc.
Indeed, Postfix is a good deal more secure than a stock Qmail (no joe jobbing, for example), and both BIND 9 and MaraDNS are more secure than a stock Djbdns (no known DOS attacks in the latest versions, compared to the known DOS attack against Djbdns).
Reference for qmail problems: [3] [4], and a reply from a DJB advocate: [5]. Self-ref for summary of djbdns problems: [6] Samboy 16:38, 19 September 2007 (UTC)
it seems to me that you are too 'close' to these topics to be editing the articles (djb article, and your own maradns article). your advocacy for your own software over other software (and the attitude expressed above in your comments about djb) makes it difficult to assume good faith. Anastrophe 18:44, 20 September 2007 (UTC)
OK, let me back up my "abandonment" quote. I have reworded this as "lack of updates for". Quite frankly, as described in my MaraDNS advocacy document, there are five bugs that DJB should fix with DjbDNS:
I understand a lot of DJB advocates feel that DjbDNS/Qmail are somehow "perfect" and do not need to be upgraded, but, quite frankly, I think it's obvious that DJB needs to fix the above five bugs with djbdns. And, really, the wording before I edited this article was "no functional exploits of any of these programs have been produced"; I revised this to "no privilege escalation exploits of any of these programs have been produced", since, yeah, the SIGPIPE issue seems to be a pretty "functional exploit". Sorry I don't have a working exploit; I will have to do some research with TCP to figure out how to send an RST packet to trigger the SIGPIPE and restart djbdns.
As for my objection to the "memory corruption and remote code execution vulnerabilities (in MaraDNS)" line, "memory corruption" in this case implies an attacker being able to control MaraDNS' memory. The "remote code execution" line is downright FUD, and, after six years of development and real-world use, not true (but if you find this kind of bug, let me know).
As for WP:COI, I agree. This is why I am careful about the MaraDNS edits (note that I asked permission in the corresponding talk page), and why the only edits on this page is to remove what is demonstratively an untrue fact (and getting rid of some negative speculation about DJB's behavior, as per WP:BLP). And, yes, it is hard for me to assume good faith with any DJB advocate: See this blog posting describing some of my unpleasant experiences with DJB advocates. Samboy 19:45, 20 September 2007 (UTC)
Would this [7] be an adequate source placing djb at Bellport High? I don't work on Bio pages much, so wasn't sure what would be required. I attended classes with him there, but I'm assuming that comes under WP:OR. Dstumme ( talk) 21:03, 16 July 2008 (UTC)
Wasn't djb the first one to popularise the idea of SYN Cookies? - http://cr.yp.to/syncookies.html 87.112.66.37 ( talk) 23:10, 13 September 2008 (UTC)
The article had this sentence in it: "Bernstein offers a security guarantee for qmail and djbdns [...] no functioning exploits of any of these programs have been published". Not true, as shown by these sources:
The "no functioning exploits" line was never backed up by a reference, and I have just posted two references showing that djbdns has had security issues that have been exploited. Is there any reason why this article should still have the "no functioning exploits" line? I have revised the line to state that no functioning exploits have been found for qmail. This, in spite of the fact that qmail has the backscatter spam problem, which can very well be considered to be an exploit.
Disclaimer: I am the author of MaraDNS. Samboy ( talk) 14:35, 30 June 2009 (UTC)
"...perhaps current views about how large numbers have to be before they are impractical to factor might be off by a factor of three. Thus as 512-digit RSA was then breakable, then perhaps 1536-bit RSA would be too."
If it's off by a factor of 3, then it would be 514 bit RSA that might be breakable, not 1536. If the intended meaning is that triple the number of bits of encryption could be broken, then it is off by a power of 3, not a factor of 3. Either way, the current wording is wrong. Aleph Infinity ( talk) 17:41, 5 November 2009 (UTC)
I just noticed this issue, and came to the talk page to report it, only to discover it was noticed 5 years ago. The paper linked as citation reports that breaking a 512 bit encryption might result in 1536 bit being broken; therefore I deduce that power of three is in fact what is meant. 81.159.253.79 ( talk) 20:51, 18 July 2014 (UTC)
Really now, how nice it would be if the article stated whether the court's ruling was *for* Bernstein or *against*. If it is "implied" that the ruling was in favor (or against?), well, implied is just not good enough. Toddcs ( talk) 21:00, 27 January 2012 (UTC)
There is a note on the article about the lead section, but there does not seem to be a discussion...
I would like to make clear that Bernstein took on the security industry by writing a number of core applications with minimal bugs that functioned for years with out any known exploits. Thus raising the standard. He was vocal and controversial in his criticism of the status quo which resulted in blow back. The result was that his software was refused distribution by most linux distros whilst relying on it internally and even projects like OpenBSD over his advocacy for licence free software.
RonaldDuncan ( talk) 17:20, 10 February 2017 (UTC)
Discussion concluded, here is the archive link in case it comes up again.
/info/en/?search=Wikipedia:Biographies_of_living_persons/Noticeboard/Archive316#Daniel_J._Bernstein