lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20040705144331.GD12130@2fkft.com>
From: szalkai at 2fkft.com (Akos Szalkai)
Subject: Web sites compromised by IIS attack

On Thu, Jul 01, 2004 at 06:09:05AM -0400, Valdis.Kletnieks@...edu created magic using only numbers:
> On Wed, 30 Jun 2004 21:08:27 CDT, Paul Schmehl <pauls@...allas.edu>  said:
> 
> > I attended a presentation yesterday for a security product in the 
> > application firewall field.  During the presentation, the CISSP stated that 
> > "in every 1000 lines of code there will be 15 errors".
> 
> Actually, I suspect most coders are *worse* than that.  

You may be right, but your calculations are an order of magnitude off. :)

> Sendmail 8.13.0 weighs in at just about 90K lines of C code for
> the main program.  By that metric, there should only have been 135
> bugs in it. In fact, there are 441 occurrences of 'Problem noted by'
> in the release notes.

Maybe you were not really awake yet (look at the Date header!), but if
its 15 errors/KLOC, then 90K lines of code should have 90*15=1350 bugs,
not 9*15=135.

You made the same mistake with BIND.  I do not like those two pieces of
software, but this time you showed that the Sendmail/BIND people are
better than the average programmer.

Akos

-- 
Akos Szalkai <szalkai@...hu>
Principal IT Consultant, CISA
2F 2000 Szamitastechnikai es Szolgaltato Kft.
Tel: (+36-1)-4887700  Fax: (+36-1)-4887709  WWW: http://www.2f.hu/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ