Exactly my point. Regardless whether open source or proprietary. On Apr 11, 2014 10:06 AM, "fooler mail" <[email protected]> wrote:
> sql injection is not a bug on *any* sql server but on the application > side not properly handle the parameter(s) as well as forgot to > implement the principle of least privilege... adobe acrobat is another > story... that's the reason why steve jobs against adobe products > getting into ios because of the company closeness to malaking > brother...unfortunately a year after job died... masansas joins papa > rey in shouting match.. > > just keep in mind that there is no such thing as 100% bullet proof > security system... whatever technique you implemented either security > by obscurity or open security... > > fooler. > > On Thu, Apr 10, 2014 at 8:26 PM, Kelsey Hartigan Go > <[email protected]> wrote: > > It might be believed that big companies have security teams but there > are a > > number of security holes discoveries made by third parties instead of > coming > > from the companies. In some cases it also took a significantly long time > > for some to patch these holes. > > Sql injection bug of sql server 2000 and Adobe acrobat pdf vulnerability > > comes to mind. > > It is nice that a lot of these big companies release patches to their > > products but the frequency of these happening is quite high, making me > feel > > that they don't do sufficient security QA before product is released. > > > > On Apr 11, 2014 7:54 AM, "fooler mail" <[email protected]> wrote: > >> > >> big companies have their own security team who assess and protect > >> their proprietary products... from the start of code development.. > >> they integrated code scanner to see any vulnerabilities in the code > >> and other security tools till it reach to a complete product... > >> > >> their reputation is based not only on the quality of the product but > >> on the security side as well... > >> > >> fooler. > >> > >> On Thu, Apr 10, 2014 at 7:16 AM, Kelsey Hartigan Go > >> <[email protected]> wrote: > >> > On the other hand since this is open source someone is bound to find > the > >> > hole. What about proprietary systems? > >> > > >> > On Apr 10, 2014 6:37 PM, "fooler mail" <[email protected]> wrote: > >> >> > >> >> pluggers, > >> >> > >> >> another action needed from you... if those sites listed in the link > >> >> below that you use their service, then you need to change your > >> >> password... > >> >> > >> >> > >> >> > >> >> > http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/?utm_cid=mash-com-fb-main-link > >> >> > >> >> its time to realize why opensource is not secured as what others > >> >> claims to be... but of course... there are still plenty of > >> >> undiscovered security holes waiting to be discovered by security > >> >> engineers... when this heartbeat outbreak last Monday... I spoke to > my > >> >> colleague yesterday as this is one of the projects of malaking > brother > >> >> who paid opensource developer working with a specific application to > >> >> insert backdoor codes... ( I have to use other words para hindi > makita > >> >> ni malaking brother scanner)... to my surprise.. he mentioned to me > >> >> that he worked at noviembre sierra alfa previously and he can > >> >> confirmed on that but he wont go into the details... I also said to > >> >> him that I saw one backdoor in Linux kernel until now it is still in > >> >> there... you cant see by a normal cli command but it is there sitting > >> >> innocently... > >> >> > >> >> I made a statement in ph-cyberview a year or so ago that we are not > >> >> safe anymore... much worse if you are inside china.... > >> >> > >> >> > >> >> fooler. > >> >> > >> >> On Wed, Apr 9, 2014 at 3:36 PM, fooler mail <[email protected]> > >> >> wrote: > >> >> > hi drexx, > >> >> > > >> >> > google security guy is the one who found the bug and google fixed > >> >> > their sites before sending the info to the community... > >> >> > > >> >> > below is the site to test the bug vulnerability.. > >> >> > > >> >> > http://packetstormsecurity.com/files/author/11160/ > >> >> > > >> >> > fooler. > >> >> > > >> >> > On Wed, Apr 9, 2014 at 9:06 AM, Drexx Laggui [personal] > >> >> > <[email protected]> wrote: > >> >> >> 09Apr2014 (UTC +8) > >> >> >> > >> >> >> Here's a quick test on your localhost, & you don't even need to be > >> >> >> root... > >> >> >> > >> >> >> > >> >> >> drexx@MACHINE:~$ echo -e "quit\n" | openssl s_client -connect > >> >> >> google.com:443 -tlsextdebug 2>&1 | grep 'TLS server extension > >> >> >> "heartbeat" (id=15), len=1' > >> >> >> > >> >> >> TLS server extension "heartbeat" (id=15), len=1 > >> >> >> > >> >> >> drexx@MACHINE:~$ date; > >> >> >> Wed Apr 9 21:02:58 PHT 2014 > >> >> >> > >> >> >> drexx@MACHINE:~$ uname -a > >> >> >> Linux MACHINE 3.11.0-19-generic #33~precise1-Ubuntu SMP Wed Mar 12 > >> >> >> 21:16:27 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux > >> >> >> > >> >> >> > >> >> >> Drexx Laggui -- CISA, CISSP, CFE Associate, ISO27001 LA, CCSI, > CSA > >> >> >> http://www.laggui.com ( Manila & California ) > >> >> >> Computer forensics; Penetration testing; QMS & ISMS developers; > >> >> >> K-Transfer > >> >> >> PGP fingerprint = 0117 15C5 F3B1 6564 59EA 6013 1308 9A66 41A2 > 3F9B > >> >> >> > >> >> >> > >> >> >> On Wed, Apr 9, 2014 at 10:42 AM, Rudel Saldivar > >> >> >> <[email protected]> wrote: > >> >> >>> > >> >> >>> And I may add this link for the exact patch version since > different > >> >> >>> package > >> >> >>> revision exist for different versions of Ubuntu - > >> >> >>> http://www.ubuntu.com/usn/usn-2165-1/ > >> >> >>> > >> >> >>> Ubuntu 13.10: > >> >> >>> libssl1.0.0 1.0.1e-3ubuntu1.2 > >> >> >>> Ubuntu 12.10: > >> >> >>> libssl1.0.0 1.0.1c-3ubuntu2.7 > >> >> >>> Ubuntu 12.04 LTS: > >> >> >>> libssl1.0.0 1.0.1-4ubuntu5.12 > >> >> >>> > >> >> >>> As for CentOS 6, they haven't release a patch version but the > >> >> >>> latest > >> >> >>> available in the update repo have the heartbeat feature disable, > >> >> >>> interim > >> >> >>> workaround so upgrade when you can: > >> >> >>> http://www.spinics.net/lists/centos-announce/msg04910.html > >> >> >>> http://www.spinics.net/lists/centos-announce/msg04910.html > >> >> >>> > >> >> >>> > >> >> >>> ----- > >> >> >>> > >> >> >>> -[ OpenSource, Open Ideas ]- > >> >> >>> > >> >> >>> > >> >> >>> On Wed, Apr 9, 2014 at 8:42 AM, fooler mail < > [email protected]> > >> >> >>> wrote: > >> >> >>>> > >> >> >>>> pluggers, > >> >> >>>> > >> >> >>>> action needed from you if you are not aware with this serious > >> >> >>>> security > >> >> >>>> hole... > >> >> >>>> > >> >> >>>> http://www.openssl.org/news/secadv_20140407.txt > >> >> >>>> > >> >> >>>> update/patch your openssl package... create a new private key > >> >> >>>> using > >> >> >>>> updated/patched openssl... create a new CSR based on that new > >> >> >>>> private > >> >> >>>> key and update your https site(s) with a new signed certificate > >> >> >>>> (this > >> >> >>>> includes self-signed certificate as well) > >> >> >> _________________________________________________ > >> >> >> Philippine Linux Users' Group (PLUG) Mailing List > >> >> >> http://lists.linux.org.ph/mailman/listinfo/plug > >> >> >> Searchable Archives: http://archives.free.net.ph > >> >> _________________________________________________ > >> >> Philippine Linux Users' Group (PLUG) Mailing List > >> >> http://lists.linux.org.ph/mailman/listinfo/plug > >> >> Searchable Archives: http://archives.free.net.ph > >> > > >> > > >> > _________________________________________________ > >> > Philippine Linux Users' Group (PLUG) Mailing List > >> > http://lists.linux.org.ph/mailman/listinfo/plug > >> > Searchable Archives: http://archives.free.net.ph > >> _________________________________________________ > >> Philippine Linux Users' Group (PLUG) Mailing List > >> http://lists.linux.org.ph/mailman/listinfo/plug > >> Searchable Archives: http://archives.free.net.ph > > > > > > _________________________________________________ > > Philippine Linux Users' Group (PLUG) Mailing List > > http://lists.linux.org.ph/mailman/listinfo/plug > > Searchable Archives: http://archives.free.net.ph > _________________________________________________ > Philippine Linux Users' Group (PLUG) Mailing List > http://lists.linux.org.ph/mailman/listinfo/plug > Searchable Archives: http://archives.free.net.ph >
_________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List http://lists.linux.org.ph/mailman/listinfo/plug Searchable Archives: http://archives.free.net.ph
