Re: Version 4.1.2

Wed, 17 May 2006 00:26:22 -0700

Seems to me that having the source would make finding an exploit considerably easier.
As you say, it's not impossible without the source - at least many, if not most, exploits are found without source code. 


As an ex computer professional I personally have found exploits without 
source code. In all those cases I wished I'd had the source.



So I think your respondent is wrong. I won't sully the airwaves with my 
other thoughts about his/her comments..



My original point was related to the fact that I have wasted a lot of time 
(probably man-months) looking at source code to find problems in (other 
people's) executables when it turned out that the source I was looking at 
had been changed *after* the executable was released. As a result I simply 
refuse to trust source code that has a "time last modified" (TLM) after the 
TLM of the executable. Promises that "this really is the source" carry very 
little weight on my scales.


Harold Fuchs

----- Original Message ----- 
From: "Mike Miller" <[EMAIL PROTECTED]>

To: "Harold Fuchs" <[EMAIL PROTECTED]>
Cc: "James Weatherall" <[EMAIL PROTECTED]>; <vnc-list@realvnc.com>
Sent: Wednesday, May 17, 2006 12:32 AM
Subject: Re: Version 4.1.2



On Wed, 17 May 2006, Harold Fuchs wrote:


Mike Miller wrote:

<snip>

Another good reason to release binaries first -- think about this -- a 
bad guy could download both the new source and the old source, do diffs 
and figure out how to exploit the vulnerability.  If the binaries are 
out there first, it gives us a chance to prepare for the coming barrage 
of attacks.


This is an excellent point.
Thank you.




FYI - I've been told off list that my point is not excellent, and it is in 
fact glaringly and shamefully wrong.  The guy who wrote to me said my 
remark was "one of the most false statements i have heard."  It was, he 
claimed, the sort of thing that a 14-year-old would write in an attempt to 
show off.  The person who told me these things also told me that he is a 
computer professional who was able, with a friend, to develop an exploit 
for this vulnerability in only 12 hours of work.  He completed it 8 hours 
before the source code was available.  Therefore, he believes, I am wrong 
to suggest that the source code could help someone to develop software for 
remote exploit.  I don't agree.  I did not claim that it would be 
impossible to develop the exploit without the diffs.  Of course it was 
possible to develop an exploit without the diffs and that was why the code 
had to be revised.  I think the revised code could help, but it is 
possible that I am mistaken.


Anyway, I thought I'd point out that not everyone agrees with me.

Mike

_______________________________________________
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list






















					Reply via email to