Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 12 Jan 2018 14:58:10 +0000
From: halfdog <me@...fdog.net>
To: oss-security@...ts.openwall.com
Subject: On reading, thinking, copying

Hello list,

After getting home from work (and after fixing my emulated server
that could not handle the SSL handshakes any more), I was quite
amused reading the references around yesterday's CVE-2018-1000001.

Derived from that, here some hints to improve quality in security
information handling:


1) The first link in an article usually is not the most important
one. This is due to probability theory and correlates with the
number of citations in the article. It even is less likely to
be relevant, when the article starts citing the historic context
- unless you are a software archeologist.

2) If the resource behind the first reference has some well-known
name in the first few lines, you should not conclude, that this
prooves the argument, you want to have prooven. You should still
read, what this source says and put it in the context of the current
argument. Otherwise you might end up at crap-press quality level:
cite Harvard in the first line (no one will check the reference
anyway) and the claim whatever you want.

3) There are quite some differences between an errant lxstat call
and a buffer overflow. SOC members should know that. While the
first by itself is just a bug and has zero security relevance
when triggered in a fully user-controlled directory structure
(proove me wrong), still the later might have quite severe security
implications.

4) Just because someone else copied crap without thinking, you
should not do the same.


Here is a suboptimal Google dork to get an approximate ranking
of the most popular copy-without-thinking sites related to this
issue (and subtract automated feed forwarding and correct context
citations by hand).

https://www.google.com/search?q=%22CVE-2018-1000001%22+%22sourceware.org/bugzilla/show_bug.cgi%3Fid%3D18203%22&filter=0

hd

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.