Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 6 Mar 2016 18:09:17 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies

On Sun, Mar 06, 2016 at 12:39:46PM +0000, op7ic x00 wrote:
> www.freeovi.com  -> it does have big `blue' button.

Oh, I wasn't aware of it, and a Google search for "freeovi" or "ovi id"
finds only irrelevant stuff now.  I think it was not publicized enough.
Also, there's a name clash of "freeovi" with some old Nokia maps stuff.

As to the button (non-)issue, I brought it to Twitter poll.  Of course,
it's not the same crowd as oss-security, but I want to get an overall
picture of how strongly people feel in favor of not wasting IDs, without
spamming this list with "+1" replies:

https://twitter.com/solardiz/status/706488297242140672

In fact, there are pretty strong results after a few minutes already.

One of my concerns was that people would be hunting for vanity OVE IDs.
I didn't want to encourage waste of time on that, nor attempts to
increase the counter up to a pretty-looking number.  The latter is one
of the reasons why I chose to include the full date rather than just the
year - this makes numbers like 7777 less valuable, since there's one of
each of those every day.  (Another reason to include the full date is
that it may sometimes provide some insight into disclosure timelines,
even if not reliably.  I suspect some people won't like that, though.)
I think OVI, if it gains popularity and is not adjusted, is far more
"vulnerable" to such vanity ID hunting.

Also, having the IDs increase up to a few thousand on each normal day
may discourage deliberate/malicious attempts to do so, and people trying
to skip IDs on such days and come back for lower IDs tomorrow.

However, there appears to be a psychological aspect with spilling
unrequested IDs on the page.  It makes many people feel sorry.  I think
I underestimated that.

(Another workaround would be to use randomized yet 4-digit IDs, but
being able to get some sequential IDs is very nice for assigning them to
related vulnerabilities.  This is why the page currently spills 10 IDs
at once on a second page load from the same IP address, and a few times
more, as long as the current ID is sufficiently below 9999 to allow for
this generosity.)

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ