lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed Apr 13 16:13:55 2005
From: bkfsec at sdf.lonestar.org (bkfsec)
Subject: How to Report a
	Security	VulnerabilitytoMicrosoft

mcbain@....com wrote:

> I dont believe even with a staff of 100k people that one could come up 
> with a conceivable testing environment for every possible network 
> setup in this world, could you?
>  

In my opinion, an attitude like this is part of the problem.  (No 
offense meant by this.. it's not directed at you personally.)

Obviously, there are an infinite combination of network configurations.  
Obviously, you have to draw a line somewhere.  Obviously there are 
variables you can't control.

However, isn't one of the great arguments for proprietary software that 
the vendors can control the software and avoid problems like this?  Why 
is it that I have more faith that a patch on the GNU/Linux system is not 
going to break my system than I have that a patch tested by MS for 6 
months won't break my MS Windows system?

This is not to say that Free Software programs are necessarily 
programmed in a better way than Proprietary MS Windows software, but its 
base design does tend to be better.

If an OS is coherently and solidly designed, the infinite number of 
combinations of network layouts shouldn't matter.  If a protocol/API is 
designed well, it is by definition predictable.  If an OS is designed 
well, it is also, by definition, predictable.   If you have to replicate 
every single concievable testing scenario to ensure that your software 
won't break, you're doing something wrong.

Now, I have no problem with exhaustive testing - I'm a big fan of it.  
However, there is a limit to it.  If you test all of the potential 
causes of trouble on the network (hardware interfaces, network stack, 
the applications used) and each portion by itself conforms to the 
standard and is functional, then that should generalize.  If having a 
completely unrelated program or utility on those systems screws things 
up, you have a fundamental design issue, and further testing will not 
save you.

This is why patching on MS Windows requires so much testing and trial 
and error: there are fundamental design issues in MS Windows which force 
people to harbor the "but you can't test all specific cases" attitude.

             -Barry

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ