lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <62259.1280491457@localhost>
Date: Fri, 30 Jul 2010 08:04:17 -0400
From: Valdis.Kletnieks@...edu
To: Christian Sciberras <uuf6429@...il.com>
Cc: mustlive@...security.com.ua, full-disclosure@...ts.grok.org.uk,
	fxchip@...il.com
Subject: Re: Day of bugs in WordPress 2

On Fri, 30 Jul 2010 08:37:25 +0200, Christian Sciberras said:

> How does writing your site/project from scratch, (I presume that's what you
> mean when you suggest a text editor as a replacement for a CMS), result in
> "higher" security?

It may not help security *directly*, but there's several indirect benefits:

1) If the person posting has to know how the damned thing works, they might
actually *notice* when they get pwned and not let it fester for weeks on end.

2) Smaller attack surface - if I'm running *just* an Apache instance without a
lot of complicated mod_* bells and whistles, and using stuff like vi to compose
new pages, that's a lot harder to attack than a site that has some 8 million
line of code monstrosity on the front end.

And there's a side benefit - if it was harder to post, fewer idiots would
figure out how, and people would think twice before posting.  So we'd have
percentage wise more well thought out and researched postings and less total
crap to wade through.  Admittedly, we'd probably lose a number of blogs that
are worth reading for amusement just for the total Fail quotient. ;)


Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ