| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu) Subject: Evidence of a ISC being hacked? On Thu, 24 Jun 2004 21:12:46 PDT, VX Dude <vxdude2003@...oo.com> said: > "...and the build broke on OTHER systems > because there wasn't a vsnprintf() in the vendor libc > - and your boss is > telling you TO GET THE THING TO BUILD, NOW.... > > The programmer who is willing to swear on a Bible that > they have *never* in > their professional careers done something like this > because they were in a > time crunch is either a newbie or a complete liar." > > The word "boss" give me the illusion of some profit > being made. Once again I could just be paranoid. Remember that the majority of code in this world is *still* custom-written applications code inside corporations. And I was discussing the *GENERAL* scenario of how such things happen. If "boss" offends you, replace it with "open source project leader". You want an example in the open source world, wander over to the Gaim project on SourceForge, where within the last 48 hours or so, the Yahoo people changed their protocol again, leaving all the Trillian and Gaim users unable to connect to Yahoo. Awful lot of duplicate bug reports filed, and "me-too" followups to bug reports, and so on. That's the sort of time when corners get cut, code auditing may not be quite as stringent, and so on. In fact, the *last* time that Yahoo changed the protocol, the resulting patch flurry ended up with a buffer overflow in Gaim and Trillian (found by Stefan Messier, if I remember right), and the lack of proper paperwork resulted in some GPL questions against Trillian.... (I'm only picking on the Gaim project because I'm aware of it, partly because my fix for an earlier Gaim bug ended up dragged into the Gaim/Trillian GPL mess... All you fans of other open-source projects, quit smirking - someday *you*'ll be in that same position - I guarantee it, based on a quarter-century of observing this industry... ;) > Apparently the idea of people patching open source > products just shows how much of a newbs we are. See above... just because it's open source doesn't mean it doesn't have those same problems. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040625/bc9e9268/attachment.bin
Powered by blists - more mailing lists