lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.44.0211271138400.8262-100000@clarity.local>
From: zen-parse at gmx.net (zen-parse)
Subject: Re: Netscape Problems.

On Tue, 26 Nov 2002, Dave Aitel wrote:

> In case you didn't notice, you're comparing a completely open process
> with one that is almost entirely closed. I.E. The total number of remote
> roots on Solaris, Windows NT, Irix, and the like is magnitudes higher
> than is actually disclosed. Whereas generally on Open Source platforms,
> you know and understand everything there is to know about each

And of course every potentially exploitable problem is labeled as such in 
open source products.

Squid DNS overflow is only a denial of service. It must be because it says 
so here:

http://www.squid-cache.org/Advisories/SQUID-2002_2.txt
...
 A malicous DNS server could craft a DNS reply that causes Squid
 to exit with a SIGSEGV.
...

Dispite there being multiple exploits in existance, this is only 
a denial of service. The exploits must be mistaken.

Maybe squid is an exception....

How about mod_throttle for apache? If you've configured this, you have a 
local root waiting to happen. Author was notified 26 Jan 2002. 

> I'll have to think more about this for mod_watch.  This change in data 
> structure for mod_throttle/3.1.2 won't be fixed.  It will have to be 
> addressed in mod_throttle/4.0 which is a complete rewrite anyways.

Oh yeah, mod_watch too. Well, maybe its just that author.

Hmm... mebe I just had bad luck...

Let's try apache....

Shared memory thing? Was notified 11 Nov 2001. Patch released when? Hmm... 
nearly 12 months?

Of course that bug is useless... except in combination with others. Who 
could've predicted the apache chunking bug or openssl bug? I mean.. the 
source is open! It'll never have a security problem.

> vulnerability. This is why on Open Source platforms (or platforms for
> which the source code is so readily available as to make it open source
> in all but name) people are now hunting down obscure integer overflows,
> and on closed source platforms fuzzers are happily picking out stack
> overflows in initial handshake messages.

It's a nice theory. 'Make the source open and people will see the bugs'. 

It's a pity it doesn't work. 

All having the source available does is make people think "Well, the
source is there, someone must've looked at it".

> Were you comparing a vendor's internal bug database to various bugzillas
> you might have a better case.

Of course, there are not, nor have there ever been bugs in bugzila that 
would let you do that comparison.

"In case people haven't noticed yet, Open Source is not more secure."

Maybe it would be better to say "Making a project Open Source does not 
make it more secure if you take forever to fix it and don't tell people 
when you do fix it". 

One hole that is exploitable means the product is insecure, so how about
"Open Source software is as secure as Closed Source."

Many eyes would make code more secure, but only if they are actually 
looking at the code.

But that does not happen. 

-- zen-parse

-- 
-------------------------------------------------------------------------
1) If this message was posted to a public forum by zen-parse@....net, it 
may be redistributed without modification. 
2) In any other case the contents of this message is confidential and not 
to be distributed in any form without express permission from the author.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ