lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2147483647.1088629707@[192.168.2.102]>
From: pauls at utdallas.edu (Paul Schmehl)
Subject: Web sites compromised by IIS attack

--On Wednesday, June 30, 2004 6:27 PM -0500 Frank Knobbe <frank@...bbe.us> 
wrote:
>
> Instead of requiring the consumer to install patches, Microsoft should
> be required to fix their own, broken products. That means that they
> should send their army of engineers (a lot of which are now carrying the
> CISSP certification) to the consumers and have their engineers correct
> the flaws in their products. They sold flawed products, they should fix
> it.
>
I'm right there with you, Frank, on one condition.  You hold *every* 
software vendor to the same standard.  IOW, "Apache should be required to 
fix their own, broken products"..."RedHat Linux should be 
required"......"Oracle should be 
required"....."sendmail"....."wuftpd"....."php"..."mysql"...etc., etc., 
etc., ad infinitum, ad nauseum.

Be careful what you wish for.  You may actually get it.

I just upgraded my workstation from RedHat 9.0 to Fedora Core 1.  I then 
ran up2date and found that there were 142 software packages that needed to 
be updated.  Just before I did that, I run portupgrade on one of my FreeBSD 
boxes.  It had 17 programs that had to be updated.

If we're going to require that software vendors produce flawless products, 
we're not going to have many software products.  Even Postfix, which *to my 
knowledge* has never had a security issue, has had numerous bug fixes. 
(And I think so highly of Postfix that the first thing I do when I install 
a new OS is replace sendmail with Postfix.)

I attended a presentation yesterday for a security product in the 
application firewall field.  During the presentation, the CISSP stated that 
"in every 1000 lines of code there will be 15 errors".  I don't know if I'd 
agree with that - I suspect most coders are a bit better than that - but I 
had to chuckle, because, of course, I immediately thought, "So you admit 
that your code is riddled with holes!"

We need better methodologies for finding bugs in software.  We need better 
training of programmers.  We need established standards for coding that 
would define things like bounds checking.  We need a *lot* of improvements 
in software development, and those improvements need to be *industry-wide*, 
not just Microsoft.

Every time I read about a security vendor with a remote hole in their 
products, I think, "How in the world can they identify attacks, if they 
can't even see them in their own code?"

Clearly the problem is a *lot* bigger than Microsoft alone.

Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ