Jochem van Dieten wrote:
> Spike wrote:
>
>>Not to mention the fact that a lot of the exploits that are discovered
>>in open source software may well have a directly comparable exploit in
>>closed source software if the mechanism of failure is a non-obvious one
>>in an otherwise typical code co
> You discover a bug in open-source software. You notify the develpers.
> They say "cool, we'll fix that". The new version has this fix and is
> released a few days/weeks after the initial notification.
Or they tell you it's not actually a bug. It's the way it should work
because of some obscure
And is some cases, issue an IMMEDIATE fix/workaround which you can
patch against (or fetch the fixed version from CVS) and have the hole
plugged in matter of minutes.
Some researchers who have been finding exploitable issues in MS
products have been issuing their own binary patch as a band-aid
sol
Here's a thought...
You discover a bug in closed-source software. You notify the
developers. You are told, after paying the $xxx per-call support fee
that yes, this is a bug and will be fixed in the next version. You wait
X months/years and the new release costs another few hundred/thousand $,
>>last norton report says (vulnerabilities)
>>windows 60,000 +
>>mac & linux 60
LOL!
Only one remote hole in the default install, in more than 8 years!
http://www.openbsd.org
Phillip
---
[This E-mail has been scanned for viruses.]
sure thing boss!!
if it helps convey the point then it should be said, wasnt about "mines bigger
than yours"
From: Mike Kear <[EMAIL PROTECTED]>
Sent: Monday, February 14, 2005 10:15 PM
To: CF-Talk
Subject: Re: Holy Security
Can yo
Can you guys take your 'mine is bigger than yours' contest to some
other list please?
Cheers
Mike Kear
Windsor, NSW, Australia
Certified Advanced ColdFusion Developer
AFP Webworks
http://afpwebworks.com
ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month
On Mon, 14 Feb 2005 21:46:18 -0500, d
well it kinda shows that closed source surely aint "the shit" it would make
sense to be!
From: Claude Schneegans <[EMAIL PROTECTED]>
Sent: Monday, February 14, 2005 9:41 PM
To: CF-Talk
Subject: Re: Holy Security
>>l
>>last norton report says (vulnerabilities)
>>windows 60,000 +
>>mac & linux 60
So what? These are only known vulnerabilities, and vulnerabilities are only
known when people
try to find them, so it only proves that there are 60,000 guy interested in
finding vulnerabilities
in Windows for 60 gu
last norton report says (vulnerabilities)
windows 60,000 +
mac & linux 60
From: Claude Schneegans <[EMAIL PROTECTED]>
Sent: Monday, February 14, 2005 9:24 PM
To: CF-Talk
Subject: Re: Holy Security
>> Absolutely. If I was to look for
>> Absolutely. If I was to look for vulnerabilities any where, It would
sure be easier if I had the source code! ;-)
The fact that there are less attacks against Linux is similar to the
fact that there are (almost) no virus for Macs:
there are nobody to watch ;-) Just like those guys running nud
On Tue, 15 Feb 2005 01:40:25 +0100, Jochem van Dieten
<[EMAIL PROTECTED]> wrote:
> You mean like the integer overflows that made non priviledge
> separated OpenSSH rootable a few years ago. Sure, the patch was
> out before the exploit was out. But did anybody take a step back,
> said "wow, this is
> > I would argue that open source code is MORE analyzed than closed
> > source. Especially if it is a critical/core component.
> >
> > Look at OpenBSD. They have a fantastic security record.
>
> But I am afraid they are the exception, not the rule.
Crazy talk.
Most anything based on BSD - open
Jon Austin wrote:
> No, but it was in response to your original question,
>
> "Do you know anyone that analyzes the quality of other peoples
> open source code? Anyone?"
I meant that as friends, collegues, not names on LKML.
> I would argue that open source code is MORE analyzed than closed
> s
On Mon, 14 Feb 2005 19:28:04 -0500, dave <[EMAIL PROTECTED]> wrote:
> when ppl are looking at what you are doing your just write better code, im
> assuming 90% of ms code is written by ppl completely wigged out on starbucks
> ;)~
And they just got out of school having never "worked" in IT (gott
Spike wrote:
> Not to mention the fact that a lot of the exploits that are discovered
> in open source software may well have a directly comparable exploit in
> closed source software if the mechanism of failure is a non-obvious one
> in an otherwise typical code construct.
You mean like the in
No, but it was in response to your original question,
"Do you know anyone that analyzes the quality of other peoples
open source code? Anyone?"
I would argue that open source code is MORE analyzed than closed
source. Especially if it is a critical/core component.
Look at OpenBSD. They have a fan
starting to get worried about firefox
From: Jon Austin <[EMAIL PROTECTED]>
Sent: Monday, February 14, 2005 6:34 PM
To: CF-Talk
Subject: Re: Holy Security
Am I misreading what you said? Strange piece of logic there. I would
think the fact that the
No, you're reading it right. I was being sarcastic. =P
Sorry for not making that more clear. My fault!
Warm regards,
Jordan
Jon Austin wrote:
>Am I misreading what you said? Strange piece of logic there. I would
>think the fact that the source code not being available would make it
>more diffic
Jon Austin wrote:
> Well, the Linux kernel for one is pretty heavily peer-reviewed. And
> thats even before it gets committed to the source tree, which largely
> is a final process overseen by Linus. So the kernel code is VERY
> heavily reviewed.
And would the process for getting patches into AIX,
Not to mention the fact that a lot of the exploits that are discovered
in open source software may well have a directly comparable exploit in
closed source software if the mechanism of failure is a non-obvious one
in an otherwise typical code construct.
Since most of the bug reports for open so
On Tue, 15 Feb 2005 00:56:07 +0100, Jochem van Dieten
<[EMAIL PROTECTED]> wrote:
> Ian Skinner wrote:
> > Myself. I have done it for a couple of small things. Nothing on the scope
> > of an entire browser, but I assume that all the people actually working on
> > a project like Firefox are check
Well, the Linux kernel for one is pretty heavily peer-reviewed. And
thats even before it gets committed to the source tree, which largely
is a final process overseen by Linus. So the kernel code is VERY
heavily reviewed.
Look at the bugtraq mailing list. There are tonnes of people who are
a) dis
On Tue, 15 Feb 2005 00:40:40 +0100, Jochem van Dieten
<[EMAIL PROTECTED]> wrote:
> Do you know anyone that analyzes the quality of other peoples
> open source code? Anyone?
My old company, Programming Research, specialized in code analysis
tools for FORTRAN, C, C++ and I believe they have a Java a
Ian Skinner wrote:
> Myself. I have done it for a couple of small things. Nothing on the scope
> of an entire browser, but I assume that all the people actually working on a
> project like Firefox are checking it for problems as best as they can.
Of course they are. But how is that different /
www.BloodSource.org
Sacramento, CA
"C code. C code run. Run code run. Please!"
- Cynthia Dunning
-Original Message-
From: Jochem van Dieten [mailto:[EMAIL PROTECTED]
Sent: Monday, February 14, 2005 3:41 PM
To: CF-Talk
....Subject: Re: Holy Security
Ian Ski
Ian Skinner wrote:
>
> Yes, they also can analyze the code for holes, but in open source they aren't
> the only ones doing so.
Do you know anyone that analyzes the quality of other peoples
open source code? Anyone?
Jochem
~
rom: Jon Austin [mailto:[EMAIL PROTECTED]
Sent: Monday, February 14, 2005 3:30 PM
To: CF-Talk
....Subject: Re: Holy Security
Am I misreading what you said? Strange piece of logic there. I would
think the fact that the source code not being available would make it
more di
Am I misreading what you said? Strange piece of logic there. I would
think the fact that the source code not being available would make it
more difficult to find security problems.
It would easier to spot an overflow of some type in the code, rather
than having to effectively "brute force" an over
lol
You know what? That's awesome. Converting our W2K box to SuSE 8.2 back
in the day is what made a Linux believer out of me. We had nothing but
trouble with our W2K box and as soon as our SuSE 8.2 box went into
production, it just ran. No crashes, no strange/inexplicable errors, it
just ran.
Rob wrote:
> I am sure this will be on the news soon, but it looks like a slew of
> security problems on windows were reported lately
That won't be in the news anytime soon: you are a week late.
All these Windows issues were made public last Tuesday. Every
second Tuesday of the month is MS patc
The Linux one was Windows filesystem errors...
The Mozilla one allowed a local user to upgrade their privs... at
first I was thinking, eh, that's not THAT big of a deal. But then I
started thinking... hacker hacks in, hacker gets SU, hacker does
nasties. EVEN if you're cut your users back to power
::blink::
::laughs uncontrollably::
It's also great to note that the windows vulnerabilities you mentioned
could mostly be executed remotely, whereas one of the mozilla/firefox
vulnerabilities and the linux vulnerability could only be executed
locally, or with a local users "permission".
Howe
33 matches
Mail list logo
