On Fri, 1 Dec 2000, mouss wrote:
> At 11:06 29/11/00 -0800, Martin wrote:
> dunno. anyway, I'm certainly not gonna spend my time auditing any code. The
> best
> approach is to _rewrite_ the code. there's no point in analysing it.
> I simply can't understand that there are guys who audit code instead of
> redesigning the
> whole stuff. NetBSD seems to have a better thinking process...
Somewhere in here I missed the point. NetBSD introduces much new code into
the tree everyday. Fine. How much of it makes it's way into FreeBSD and
OpenBSD ? The drivers usually. So what is this process ? People read the
code and see if it is something that should be integrated into a
particular OS.
And the benefit of running an OpenSource operating system is that there
are people who audit. As you said you are not going to spend time
auditing. And you dont have to, if you believe in the team.
Unix has problems. But if you want to run it, you have to follow standards
when writing code. The majority of unix exploits can be blamed on
stdio. This has very little to do with the particular OS, and more to do
with proper coding techniques and the right mindset. In a multiuser OS
your mindset has to be more paranoid than focused on 'just making it
work'. This is what OpenBSD has initiated, and what other groups are
learning from.
Your right; a quick search on 'ftpd' will yield numerous exploits over the
years. And this many years later, I would not put it past some hacker
finding a buffer or heap overflow in it. This is a classic example of a
program that should have been redesigned. It was, and it was done by
OpenBSD team. It was then appreciated so much that a group ported it to
Linux.
Why is Linux considered insecure ? Because the distrobutions of it are
many with different directions and they appreciate new code being
integrated into the tree. This is new code that has not been
audited. The security company that I work does e-commerce
hosting. Customers are not allowed to introduce JSP/ASP/servlet/cgi-bin
code onto their hosted sites until it has been analyzed and audited. Do
you know the number of scripts and programs that are denied. Many. And
these are written by top level programmers that forget about security. My
point: auditing is a process of security; not something you can overlook.
cheers,
.truman.boyes.
---------------------------------------------
"There is no reason anyone would want a computer in their home,"
-- Ken Olson, pres., and founder of Digital Equipment Corp., 1971
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
