| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 10 Aug 2013 06:49:58 -0400 From: Jeffrey Walton <noloader@...il.com> To: Gichuki John Chuksjonia <chuksjonia@...il.com> Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>, "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com> Subject: Re: Apache suEXEC privilege elevation / information disclosure On Sat, Aug 10, 2013 at 6:10 AM, Gichuki John Chuksjonia <chuksjonia@...il.com> wrote: > One thing u gotta remember most of the Admins who handle webservers in > a network are also developers since most of the organizations will > always need to cut on expenses, and as we know, most of the developers > will just look into finishing work and making it work. So if something > doesn't run due to httpd.conf, you will find these guys loosening > server security, therefore opening holes to the infrastructure. Cognitive Bias and Dissonance are well known problems in security engineering. NB's comments are a testament to the disconnect between the creators of the system and the users of the system. (No offense to NB). See, for example, Peter Gutmann's Engineering Security (www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf) or Ross Anderson's Security Engineering (http://www.cl.cam.ac.uk/~rja14/book.html). Jeff _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists