Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 6 Mar 2016 15:47:19 +0000
From: "op7ic \\x00" <op7ica@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Concerns about CVE coverage shrinking - direct
 impact to researchers/companies

agree, the vanity hunting is going to be there but I suppose as with any
bug ID that is going to happen.
But beyond that I don't think it matters as much. In the end of the day if
somebody can use OVI or OVE to identify their bug then at least we got some
level of reference to look it up on google.

I was toying with 4digit IDs that would be random enough, thats a
possiblity too, the only problem is that there is a overhead of doing DB
sorting and lookups to make sure their don't clash. Thats why ovi uses
sequential numbers - its just easier to manage.

Cheers,



On Sun, Mar 6, 2016 at 3:09 PM, Solar Designer <solar@...nwall.com> wrote:

> On Sun, Mar 06, 2016 at 12:39:46PM +0000, op7ic x00 wrote:
> > www.freeovi.com  -> it does have big `blue' button.
>
> Oh, I wasn't aware of it, and a Google search for "freeovi" or "ovi id"
> finds only irrelevant stuff now.  I think it was not publicized enough.
> Also, there's a name clash of "freeovi" with some old Nokia maps stuff.
>
> As to the button (non-)issue, I brought it to Twitter poll.  Of course,
> it's not the same crowd as oss-security, but I want to get an overall
> picture of how strongly people feel in favor of not wasting IDs, without
> spamming this list with "+1" replies:
>
> https://twitter.com/solardiz/status/706488297242140672
>
> In fact, there are pretty strong results after a few minutes already.
>
> One of my concerns was that people would be hunting for vanity OVE IDs.
> I didn't want to encourage waste of time on that, nor attempts to
> increase the counter up to a pretty-looking number.  The latter is one
> of the reasons why I chose to include the full date rather than just the
> year - this makes numbers like 7777 less valuable, since there's one of
> each of those every day.  (Another reason to include the full date is
> that it may sometimes provide some insight into disclosure timelines,
> even if not reliably.  I suspect some people won't like that, though.)
> I think OVI, if it gains popularity and is not adjusted, is far more
> "vulnerable" to such vanity ID hunting.
>
> Also, having the IDs increase up to a few thousand on each normal day
> may discourage deliberate/malicious attempts to do so, and people trying
> to skip IDs on such days and come back for lower IDs tomorrow.
>
> However, there appears to be a psychological aspect with spilling
> unrequested IDs on the page.  It makes many people feel sorry.  I think
> I underestimated that.
>
> (Another workaround would be to use randomized yet 4-digit IDs, but
> being able to get some sequential IDs is very nice for assigning them to
> related vulnerabilities.  This is why the page currently spills 10 IDs
> at once on a second page load from the same IP address, and a few times
> more, as long as the current ID is sufficiently below 9999 to allow for
> this generosity.)
>
> Alexander
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.