Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 12 Jan 2018 14:58:10 +0000
From: halfdog <me@...fdog.net>
To: oss-security@...ts.openwall.com
Subject: On reading, thinking, copying

Hello list,

After getting home from work (and after fixing my emulated server
that could not handle the SSL handshakes any more), I was quite
amused reading the references around yesterday's CVE-2018-1000001.

Derived from that, here some hints to improve quality in security
information handling:


1) The first link in an article usually is not the most important
one. This is due to probability theory and correlates with the
number of citations in the article. It even is less likely to
be relevant, when the article starts citing the historic context
- unless you are a software archeologist.

2) If the resource behind the first reference has some well-known
name in the first few lines, you should not conclude, that this
prooves the argument, you want to have prooven. You should still
read, what this source says and put it in the context of the current
argument. Otherwise you might end up at crap-press quality level:
cite Harvard in the first line (no one will check the reference
anyway) and the claim whatever you want.

3) There are quite some differences between an errant lxstat call
and a buffer overflow. SOC members should know that. While the
first by itself is just a bug and has zero security relevance
when triggered in a fully user-controlled directory structure
(proove me wrong), still the later might have quite severe security
implications.

4) Just because someone else copied crap without thinking, you
should not do the same.


Here is a suboptimal Google dork to get an approximate ranking
of the most popular copy-without-thinking sites related to this
issue (and subtract automated feed forwarding and correct context
citations by hand).

https://www.google.com/search?q=%22CVE-2018-1000001%22+%22sourceware.org/bugzilla/show_bug.cgi%3Fid%3D18203%22&filter=0

hd


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ