Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAEZyo3ASqgsg1zD4nO7ShE8QS5yTPdiS6XPsG_d7EOZp8-aJYg@mail.gmail.com>
Date: Tue, 9 Sep 2014 22:14:21 +0300
From: Mikko Korpela <mikko.korpela@...il.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Re: pinocchio tmp vuln

"And we will need that because there are so many
devices hitting the streets with so many noob vulns that it's only a
matter of time before someone is killed."

So umm.. Your saying that you guys are saving the world by finding out
random packages that use easily guessable filenames from /tmp/ that
everybody has access to?

I think security (like safety) has its place, but it is largely
context dependent - you don't put locks to every door in your house
(or I hope you don't) or you end up spending all the time opening and
closing them.

I'm not arguing that the things you guys are talking about are not
important in many contexts but test automation??

It is part of software development process - and in many cases
requires that the system under test must be executed in some very
unsecure way to enable access to the internals of the tested system.
So in this place where these tests are executing (developers little
sandbox that is far away from the evil world around us) if someone
"evil" has access to the /tmp/ folder or the machine in any way then
you are already screwed.

So could someone please give me an example case of a test automation
tool where removing a /tmp/ vuln would have had any significance?

(By the way I kind of think that I'm saving the world also :P by
giving people test automation tools so they can get bugs out of their
software systems - and bugs really kill people)

2014-09-09 19:39 GMT+03:00 John Haxby <john.haxby@...cle.com>:
> On 09/09/14 09:34, Steve Kemp wrote:
>>                                          I'm sure lots of
>>  modules exist created by inexperienced developers who haven't
>>  considered the implications of posting new code libraries.
>
> We see lots of people making the same mistakes over and over again.
>
> Apart from the obvious newbie mistakes of failing to create proper
> temporary directories, we also get things like the slightly more subtle
> shipping a "secure" web server with a fixed self-signed cert.   Or
> copying a user-supplied string into a MAXPATH+1 buffer because that's
> long enough for any pathname.   Or ...
>
> I don't need to go on, we've all seen them and Kurt highlighting
> problems is all goodness because at least it gets people thinking a bit
> more about security.  And we will need that because there are so many
> devices hitting the streets with so many noob vulns that it's only a
> matter of time before someone is killed.
>
> jch



-- 
Mikko Korpela

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.