Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 6 Mar 2016 18:09:17 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies

On Sun, Mar 06, 2016 at 12:39:46PM +0000, op7ic x00 wrote:
> www.freeovi.com  -> it does have big `blue' button.

Oh, I wasn't aware of it, and a Google search for "freeovi" or "ovi id"
finds only irrelevant stuff now.  I think it was not publicized enough.
Also, there's a name clash of "freeovi" with some old Nokia maps stuff.

As to the button (non-)issue, I brought it to Twitter poll.  Of course,
it's not the same crowd as oss-security, but I want to get an overall
picture of how strongly people feel in favor of not wasting IDs, without
spamming this list with "+1" replies:

https://twitter.com/solardiz/status/706488297242140672

In fact, there are pretty strong results after a few minutes already.

One of my concerns was that people would be hunting for vanity OVE IDs.
I didn't want to encourage waste of time on that, nor attempts to
increase the counter up to a pretty-looking number.  The latter is one
of the reasons why I chose to include the full date rather than just the
year - this makes numbers like 7777 less valuable, since there's one of
each of those every day.  (Another reason to include the full date is
that it may sometimes provide some insight into disclosure timelines,
even if not reliably.  I suspect some people won't like that, though.)
I think OVI, if it gains popularity and is not adjusted, is far more
"vulnerable" to such vanity ID hunting.

Also, having the IDs increase up to a few thousand on each normal day
may discourage deliberate/malicious attempts to do so, and people trying
to skip IDs on such days and come back for lower IDs tomorrow.

However, there appears to be a psychological aspect with spilling
unrequested IDs on the page.  It makes many people feel sorry.  I think
I underestimated that.

(Another workaround would be to use randomized yet 4-digit IDs, but
being able to get some sequential IDs is very nice for assigning them to
related vulnerabilities.  This is why the page currently spills 10 IDs
at once on a second page load from the same IP address, and a few times
more, as long as the current ID is sufficiently below 9999 to allow for
this generosity.)

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.