[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200406251703.i5PH3nds030544@turing-police.cc.vt.edu>
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: Evidence of a ISC being hacked?
On Thu, 24 Jun 2004 21:12:46 PDT, VX Dude <vxdude2003@...oo.com> said:
> "...and the build broke on OTHER systems
> because there wasn't a vsnprintf() in the vendor libc
> - and your boss is
> telling you TO GET THE THING TO BUILD, NOW....
>
> The programmer who is willing to swear on a Bible that
> they have *never* in
> their professional careers done something like this
> because they were in a
> time crunch is either a newbie or a complete liar."
>
> The word "boss" give me the illusion of some profit
> being made. Once again I could just be paranoid.
Remember that the majority of code in this world is *still* custom-written
applications code inside corporations. And I was discussing the *GENERAL*
scenario of how such things happen.
If "boss" offends you, replace it with "open source project leader".
You want an example in the open source world, wander over to the Gaim project
on SourceForge, where within the last 48 hours or so, the Yahoo people changed
their protocol again, leaving all the Trillian and Gaim users unable to connect
to Yahoo. Awful lot of duplicate bug reports filed, and "me-too" followups to
bug reports, and so on.
That's the sort of time when corners get cut, code auditing may not be quite as
stringent, and so on. In fact, the *last* time that Yahoo changed the
protocol, the resulting patch flurry ended up with a buffer overflow in Gaim
and Trillian (found by Stefan Messier, if I remember right), and the lack of
proper paperwork resulted in some GPL questions against Trillian....
(I'm only picking on the Gaim project because I'm aware of it, partly because
my fix for an earlier Gaim bug ended up dragged into the Gaim/Trillian GPL
mess... All you fans of other open-source projects, quit smirking - someday
*you*'ll be in that same position - I guarantee it, based on a quarter-century
of observing this industry... ;)
> Apparently the idea of people patching open source
> products just shows how much of a newbs we are.
See above... just because it's open source doesn't mean it doesn't have those
same problems.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040625/bc9e9268/attachment.bin
Powered by blists - more mailing lists