On 12/30/05, Tom Buskey <[EMAIL PROTECTED]> wrote:
On 12/29/05, Thomas Charron <[EMAIL PROTECTED] > wrote:On 12/29/05, Bill McGonigle < [EMAIL PROTECTED]> wrote: the software changes over time. People DON'T spend their time going to a several month audit, and find each and every exploit. They find the ones
Yes, they do. And we all know how often ssh is the target due to exploits. Obviouse security errors are one thing, but the majority of exploits are due to the identification of what needs to be check, versus what doesn't, specifically when the applications are written in C/C++.
These errors are going to happen, period. If anything, the above two projects having issues just proves that this is the case. It's the turn around time that makes the difference.
that cause them problems in the manner that they use the software. Not many actually sit back and say 'Well, what happens in my URL is a BEEEEEELion characters long? Ok, it's fine with that many. OH SHEEEET! Someone used a BEEEEEEEELION and *ONE*!??!?!! Poo!' I'm not saying no one cares, I'm saying, software, becouse of the wayAnd there are the pen testers that do that. Are report 0 days to the various vendors. Or keep if for their pen testing. Or keep it to themselves for other reasons.
Or, use it to set up a giant IRC network to spam people.. ;-)
Thomas
