Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 7 Oct 2014 18:11:10 +0800
From: Pavel Labushev <pavel.labushev@...box.no>
To: oss-security@...ts.openwall.com
Subject: Re: Thoughts on Shellshock and beyond

Finding and fixing security bugs doesn't scale and doesn't even work.
New bugs are being introduced all the time, together with or even by the
code that fixes old bugs. And the more complicated and large a code base
is, the worse.

What works is recognising and eliminating whole bug _classes_, or
deploying exploitation mitigation measures against them. But good luck
convincing software developers they should do that, that they should
learn something new, change their workflow, their toolchain, work on
their discipline, change their priorities, consider external experts'
opinions and generally "waste" their time on something as hardly
measurable and conventionally "insignificant" as software security.

Also, sometimes, to make some things considerably more secure instead
of just participating in a cargo cult, you should literally replace
things with something more thought, with better architecture and design,
using more secure technologies and approaches, etc. But that's not how
software development works in general, that's not how people want to
spend their resources. And even Snowden's leaks didn't really change
that.

Thinking that there's some "reasonable" approach, like bug fixing
or something, is just plain wrong, in the AV industry style. There are
no "reasonable" approaches, the system is fscked up and it won't change
so easily in any foreseeable future. To make some real difference, we
should stop participating in the cargo cult of security bugs fixing,
get the guts to admit that it doesn't work, and move on.

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.