lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 9 Apr 2010 16:29:44 +0200
From: Christian Sciberras <uuf6429@...il.com>
To: Valdis.Kletnieks@...edu
Cc: full-disclosure@...ts.grok.org.uk, MustLive <mustlive@...security.com.ua>
Subject: Re: Vulnerabilities in phpCOIN

I think Universities should rethink their Software Development courses...

Valdis has got a very strong point. Here's my own. I got Safari to test
websites I develop.
Apple seems to think that during a recommended/critical Safari update, I
should be installing iTunes.
Oh, and surprise, with iTunes you get a couple of Apple Sync'ing services,
not to mention some hidden server.
It isn't *just* Apple, it's Linux, Microsoft and just about any other
company.
Microsoft forces you to get Desktop search (and turn on the indexing
service, which has its own set of exploits and slows the computer down *a
lot*).

Regards,
Chris.



On Fri, Apr 9, 2010 at 4:12 PM, <Valdis.Kletnieks@...edu> wrote:

> On Fri, 09 Apr 2010 15:49:58 +0200, "Jan G.B." said:
>
> > And where's the point in reporting several projects that use a -say-
> > library which has a reported problem? (I mean, you've send quite the
> > same mail with a different software to bugtraq, today.)
>
> A few years ago, a rather nasty vulnerability was found in the zlib
> compression library.  We then saw a whole raft of advisories for things
> that included the zlib libraries, because often the package shipped with
> a private copy of zlib so patching the system zlib did *not* actually
> fix the problem for the zlib-using package.
>
> And quite frankly, if it's a very low-level package, the average system
> admin may not even *realize* that his very important MobyFoo package that
> he remembers uses something called FooBar (or at least he remembers MobyFoo
> wanting FooBar when he installed it 3 years ago), and the year after that,
> FooBar started using QuuxBaz, which (a) the sysadmin didn't even know was
> installed on his box, and (b) has a security hole.
>
> You think I'm kidding?  Even *after* some vigorous pruning, my Fedora
> laptop
> has 1,782 RPMs installed - back around Red Hat 9 it was more like 600.
> Lotta
> software bloat going on, and most sysadmins don't have the combo of time
> and
> clue to fight it.  For instance, it's a losing battle to keep Bluetooth
> software off this laptop, even though it doesn't *have* Bluetooth hardware,
> because more and more packages link in Bluetooth "in case you have it".
>
> And not one of those package developers understands the concept of a linker
> "weak reference". Argh.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ