| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 30 Mar 2004 22:35:49 -0500 From: "Oliver Lavery" <oliver.lavery@...patico.ca> To: "'Drew Copley'" <dcopley@...e.com>, <bugtraq@...urityfocus.com> Cc: <LiuDieyuinchina@...oo.com.cn> Subject: RE: Followup: vuln in WinBlox monitor for winnt Most new programs aren't doing anything nearly this ambitious or dangerous. A hole in a newly written program is bad, injecting a hole into every program running on a system is absolutely horrible. Yeah, I agree, Liu Die Yu's vulns have been impressive. And this approach to securing a system has a lot of potential benefits, but it also has a lot of potential drawbacks. I didn't poke holes in it to be mean, but because I think it's a really significant idea, and one that has to be done right. It's seriously important that people don't go grabbing this thinking it's a stable program that will cure the ills of Windows until it really _is_. Let's see if this idea can reach fruition. It would be a shame to blow it for everyone who's interested in the potential of this kind of approach because of hyped up promises and premature code. Liu got what I was saying I think, and he's said he'd release the code. So let the games begin ;) Cheers, ~ol > -----Original Message----- > From: Drew Copley [mailto:dcopley@...e.com] > Sent: March 31, 2004 1:36 PM > To: Oliver Lavery; bugtraq@...urityfocus.com > Cc: LiuDieyuinchina@...oo.com.cn > Subject: RE: Followup: vuln in WinBlox monitor for winnt > > > > > > -----Original Message----- > > From: Oliver Lavery [mailto:oliver.lavery@...patico.ca] > > Sent: Tuesday, March 30, 2004 1:11 PM > > To: bugtraq@...urityfocus.com > > Subject: Followup: vuln in WinBlox monitor for winnt > > <snip> > > > > That's it. No pissing competition. Liu's onto something > > very good > > here, but as anyone who installs MS patches will tell ya, > > you've got to see > > the full implications of a fix before you choose to apply it. > > Until this > > thing gets rewritten properly, and follows even the most > > basic principals of > > secure coding, it'll cause more problems than it fixes, in > my opinion. > > > > I firmly believe that these sorts of tricks have tonnes > > of potential > > and are going to become even more common in the future of the > > "so called > > security community" tho' ;) > > <snip> > > Honestly, most [95%+-] "beta" or "alpha" programs do "cause > more problems then they fix". > > Liu Die Yu is relatively new at development, but he is > relatively new at finding bugs -- and he has succeeded > substantially at that. I do not doubt that he will succeed > substantially at this. > > And, all of this is yet another great reason to immediately > put code opensource at an excellent hosting spot like > sourceforge... even from the design phase, but especially > from the alpha release stage. > > Then you have the ability to have others to help out... and > you have such neat, modern resources such as bug databases > and submission forms. > > I do not think Liu Die Yu will take half a year or more to > fix his bugs. > > > > > > --- > Incoming mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.605 / Virus Database: 385 - Release Date: 01/03/2004 > > --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.605 / Virus Database: 385 - Release Date: 01/03/2004
Powered by blists - more mailing lists