lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <1189566909-1097305771-cardhu_blackberry.rim.net-10706-@engine31>
From: jasonc at science.org (Jason Coombs PivX Solutions)
Subject: RE: Disclosure policy in Re: RealPlayervulnerabilities

> 0. ("The primordial sin") The
> vulnerable product is released ...
> ...
> Vendors must work much harder
> to avoid releasing ... code ...

Absolutely correct. Vendors who release code are the core problem.

Vendors should not release code, they should release its source.

Where this is not done, vendors should at least release a detailed code map and important security-related excerpts of the source as part of a forensic analysis report about the code that enables a skilled person to more easily read through the code with a hex editor and disassembler in a reasonable amount of time and decide whether to use the vendor's product as-is or whether to modify it to take out parts that expose unwarranted features and unwanted risk.

We simply must stop executing other people's OTS code.

Regards,

Jason

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ