lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.43.0208052137280.24619-100000@tundra.winternet.com>
From: dufresne at winternet.com (Ron DuFresne)
Subject: Re: it\'s all about timing


	[SNIP]

> >Your number 6 below:
> >
> >"The Vendor MUST provide a facility for individuals or
> >   organizations who are not Customers to report vulnerabilities"
> >
> >This to me sounds like it is acceptable that there are going to be
> >vulnerabilities. Continue cranking out shodware because we have a set
> >of guidelines that people who stumble across them are expected to
> >adhere to.
>
> Vulnerabilities will happen, even in the best of circumstances, as
> long as new types of vulnerabilities are discovered.  If there are 20
> individuals who decide to audit a package for a new type of
> vulnerability, but the vendor only has 5 developers, then it seems
> like there's a good chance that someone other than the vendor will
> discover the issue.  Then you've got "interaction" vulnerabilities,
> which I loosely define as when a vulnerability occurs in the way that
> two products interact with each other.  Developers can't always
> predict how their product will be used, or how it will interact with
> other products, so interaction-based vulnerabilities may be around in
> one form or another.


But seriously, what's new about buffer overflows, which are the main cause
of vunls in software now as they were in the 1980's and prior when the
morris worm hit[1].  How about repeat issue with the same products, like
the M$ sql server issues <not that M$ is the only vendor with products
that sink time and again>?


What 'new types of vulnerabilities' are being discovered?


	[SNIP]


Thanks,

Ron DuFresne
[1] http://sysinfo.com/iworms.html (our shameless plug)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
	***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ