lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <17184.29520.103995.401280@mail.linux-delhi.org>
Date: Thu Sep  8 18:22:53 2005
From: raju at linux-delhi.org (Raj Mathur)
Subject: Security Hole Found In Dave's Sock

>>>>> "Ted" == Ted Frederick <tfrederick@...entek.com> writes:

    Ted> Dear list, I know that this list is not meant for personal
    Ted> promotion but I think I would be remiss if I did not mention
    Ted> that my company has recently released an upgrade to our
    Ted> initial offering of Shoe 1.0.  The upgrade to Shoe 2.0
    Ted> includes a firewall/anti-virus product previously known as
    Ted> Sock 3.4563.v54.

    Ted> The upgrade cost is $19.99. There is also a required software
    Ted> assurance subscription of $325.79 monthly.

    Ted> If all goes well with the new product I suspect that we will
    Ted> be purchased by a major software vendor before year end thus
    Ted> making updates available on the first Tuesday of every month
    Ted> to protect against further holes.  These updates will have
    Ted> vague names with no indication of what they actually fix
    Ted> which should relieve you of sparing any thought to what risks
    Ted> you may have been exposed to prior to the patch.

    Ted> Yes, we have in fact thought of everything so you don't have
    Ted> to.

I'm afraid you have fallen into the common trap of suggesting a
hardwear solution for what is essentially a softwear problem.  I'd
have been much happier to see the softwear vendors acknowledge this
vulnerability (it's endemic, not specific to one vendor) and offer
upgrades to their softwear on a regular basis.

I'm making a compilation of socks v5.0 softwear available in the
market and subjecting them to stress testing; the testing includes
running 2KM after subjecting the softwear to dipping in Sewer 0.2,
having /bin/cat /bin/sleep on them for 2 days, and a cron job to
periodically transfer them to and from a Windows system.  The results
of this testing will be available for a nominal fee(*).

I also suspect that by the end of the testing the softwear will have
metamorphosed into those elusive WMDs that have been, uh, eluding us
for so long.

(*) Standard nominal fee is half your kingdom and your daughter's hand
in marriage).

Regards,

-- Raju
-- 
Raj Mathur                raju@...dalaya.org      http://kandalaya.org/
       GPG: 78D4 FC67 367F 40E2 0DD5  0FEF C968 D0EF CC68 D17F
                      It is the mind that moves

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ