lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20031121155626.B8B9E2C551@quill.cisto.com>
Date: Fri, 21 Nov 2003 16:56:26 +0100 (CET)
From: Norbert Bollow <nb@...twareEconomics.biz>
To: bugtraq@...urityfocus.com
Subject: help needed with DotGNU security review (was Re: ..researchers org..)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Crispin Cowan <crispin@...unix.com> wrote:

> A subtle distinction may be the root cause here: Sardonix seeks to 
> change the research model from "find a bug, win a prize! (fame & glory 
> for half a day)" to "audit software, report what you find, and win a 
> reputation for the long term." Having a pile of audited software is 
> *much* more useful to admins than an endless stream of "gotcha again!" 
> advisories. But from the lack of response from security investigators, I 
> conjecture that "find a bug, win a prize!" is more fun to do, and so 
> that's what investigators choose to do.

Hmm...  I'd say that from the admin's perspective, the main problem
with the "find a bug, win the right to publish an advisory" system
of non-monetary rewards for finding security vulnerabilities is that
it tends to happen only after the software in question is widely
deployed, so that the endless stream of "gotcha again!" advisories
means endlessly having to upgrade the same software over and over
again.

How should I go about trying to find people who are skilled in the
area of finding security bugs, and who would be willing to have a
good look at key components of DotGNU (see http://dotgnu.org ) before
they're widely deployed?

In particular, right now it'd be good to have skilled "security
review" help with DotGNU Portable.NET in these areas:

 * checking the adherence of the bytecode verifier to the published
   spec and security conditions

 * range-checking of all values that need it

 * environmental security - controlling access to system facilities
   such as files, network, preferences, etc

We're interested both in documentation of problems, as well as in
documentation of things that are not problems.  Discussion of these
and related matters is welcome on the pnet-developers mailing list,
see http://dotgnu.org/mailman/listinfo/pnet-developers .

Nota bene, we're aware that Portable.NET still lacks certain security
features, especially in the area of environmental security, and we
can use help with identifying all of the places where security will
need tightening for both app usage and applet usage.

Greetings, Norbert.

- -- 
Founder & Steering Committee member of http://gnu.org/projects/dotgnu/
Free Software Business Strategy Guide   --->  http://FreeStrategy.info
Norbert Bollow, Weidlistr.18, CH-8624 Gruet (near Zurich, Switzerland)
Tel +41 1 972 20 59        Fax +41 1 972 20 69       http://norbert.ch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/vAiZoYIVvXUl7DIRAuQXAJ9OEk01Y9PfH+mdhhHkwlOq4H7U+wCff8E+
DqUw0XnUW6NkaBycJ180q0U=
=PUiL
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ