lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri, 29 Oct 2004 11:45:32 +0100
From: Chris Paget <ivegotta@...bom.co.uk>
To: Michael Wojcik <Michael.Wojcik@...rofocus.com>
Cc: bugtraq@...urityfocus.com, Valdis.Kletnieks@...edu
Subject: Re: Update: Web browsers - a mini-farce (MSIE gives in)


On Wed, 27 Oct 2004 06:32:07 -0700, you wrote:

<snip>

>I write comms code - client- and server-side middleware.  I wouldn't dream
>of implementing a protocol with code that didn't sanity-check the data it
>gets off the wire.  

What's your point?  That you don't believe IE has any sanity checks?
More likely, this bug lies IN one of the sanity checks.

No system is 100% secure.  Fact.  Every single software system on the
planet, at least anything complex enough to justify the name "system",
DOES HAVE security flaws.  They may not be easy to find, but they're
there.  Anyone who believes otherwise either has access to technology
FAR in advance of the rest of us here on earth, or is a fool.

As proof of this, how about releasing some of *your* code?  You
believe that it is possible to write code that is completely secure,
ie completely free of all security holes, both known and unknown, by
strictly adhering to and enforcing every single aspect of the protocol
it is designed to handle.  I say that's not true - and I challenge you
to prove me otherwise.

Doesn't have to be a full application; a network protocol handler will
be sufficient; doesn't even need to be from a commercial app.  Just
enough to demonstrate that you *are* telling the truth - either your
code will stand up, in which case most developers can learn a few
things by using your code as an example, or a flaw will be found to
prove the case that 100% security can never be acheived, regardless of
how well you believe you have validated your input.

How about it?  Prove your case?

Chris

-- 
Chris Paget
ivegotta@...bom.co.uk

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ