| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.LNX.4.50.0406302007040.27457-100000@server.dimick.net> From: denis at dimick.net (Denis Dimick) Subject: Web sites compromised by IIS attack Paul, If I'm understanding you correctly you don't understand Linux/Redhat. Or your just being silly to make a point. sendmail, wftp , php, etc.. are not owned by Redhat. Each of these applications are owned buy someone else and Redhat is allowed to re-distribute them. And using the number of fixes/patches to an application as an indication of how god it is, is a bad thing. Using this logic you would have to say M$ is a good product. Denis On Wed, 30 Jun 2004, Paul Schmehl wrote: > --On Wednesday, June 30, 2004 6:27 PM -0500 Frank Knobbe <frank@...bbe.us> > wrote: > > > > Instead of requiring the consumer to install patches, Microsoft should > > be required to fix their own, broken products. That means that they > > should send their army of engineers (a lot of which are now carrying the > > CISSP certification) to the consumers and have their engineers correct > > the flaws in their products. They sold flawed products, they should fix > > it. > > > I'm right there with you, Frank, on one condition. You hold *every* > software vendor to the same standard. IOW, "Apache should be required to > fix their own, broken products"..."RedHat Linux should be > required"......"Oracle should be > required"....."sendmail"....."wuftpd"....."php"..."mysql"...etc., etc., > etc., ad infinitum, ad nauseum. > > Be careful what you wish for. You may actually get it. > > I just upgraded my workstation from RedHat 9.0 to Fedora Core 1. I then > ran up2date and found that there were 142 software packages that needed to > be updated. Just before I did that, I run portupgrade on one of my FreeBSD > boxes. It had 17 programs that had to be updated. > > If we're going to require that software vendors produce flawless products, > we're not going to have many software products. Even Postfix, which *to my > knowledge* has never had a security issue, has had numerous bug fixes. > (And I think so highly of Postfix that the first thing I do when I install > a new OS is replace sendmail with Postfix.) > > I attended a presentation yesterday for a security product in the > application firewall field. During the presentation, the CISSP stated that > "in every 1000 lines of code there will be 15 errors". I don't know if I'd > agree with that - I suspect most coders are a bit better than that - but I > had to chuckle, because, of course, I immediately thought, "So you admit > that your code is riddled with holes!" > > We need better methodologies for finding bugs in software. We need better > training of programmers. We need established standards for coding that > would define things like bounds checking. We need a *lot* of improvements > in software development, and those improvements need to be *industry-wide*, > not just Microsoft. > > Every time I read about a security vendor with a remote hole in their > products, I think, "How in the world can they identify attacks, if they > can't even see them in their own code?" > > Clearly the problem is a *lot* bigger than Microsoft alone. > > Paul Schmehl (pauls@...allas.edu) > Adjunct Information Security Officer > The University of Texas at Dallas > AVIEN Founding Member > http://www.utdallas.edu > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html >
Powered by blists - more mailing lists