From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1QZwYl-0001J7-28 for garchives@archives.gentoo.org; Fri, 24 Jun 2011 02:55:55 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id EF9591C00A; Fri, 24 Jun 2011 02:52:30 +0000 (UTC) Received: from mail-vw0-f53.google.com (mail-vw0-f53.google.com [209.85.212.53]) by pigeon.gentoo.org (Postfix) with ESMTP id 99ECA1C00A for ; Fri, 24 Jun 2011 02:52:30 +0000 (UTC) Received: by vws13 with SMTP id 13so2175619vws.40 for ; Thu, 23 Jun 2011 19:52:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:message-id:disposition-notification-to:date :from:user-agent:mime-version:to:subject:references:in-reply-to :x-enigmail-version:openpgp:content-type:content-transfer-encoding; bh=pxrIID6tqad9i8mnVd38XsrR/FbkqJcQWgs9tx5v8Ww=; b=o1SIhe+hKFru/ZTUp0UUdD9JBF3hb7qFp/m+RQkS4gLFWzztOxlAut7eJJk8dRVP+C E5+JUECU64uhmZjc9Ic1D3PgBaEck8EfYhh6/QzYBJyCnV5Kczw0Ayu/qv1lm5e39/y3 qhbeXPgdnwsRdK81tBKLVEi1vKNjBw/KTF52s= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:disposition-notification-to:date:from:user-agent :mime-version:to:subject:references:in-reply-to:x-enigmail-version :openpgp:content-type:content-transfer-encoding; b=wmQeekM+seOBgm6PYoxhxjJmRVjVZGDLx/FJ1orMOtoIrh0A/NCsqof8/+ZjhCBEbI XuVNV7/sLYjLhIQnepW4S6+/MdqW+uPfPnfan+cMv8nUXt8kYZ0jKlYkORs2IYm703HW 5ulr/SU56FY+4nOSrqfnoyOq24dEmEjfgGYqs= Received: by 10.52.173.84 with SMTP id bi20mr3705761vdc.69.1308883949377; Thu, 23 Jun 2011 19:52:29 -0700 (PDT) Received: from [192.168.2.25] (ool-44c64caa.dyn.optonline.net [68.198.76.170]) by mx.google.com with ESMTPS id f3sm1242307vbk.17.2011.06.23.19.52.27 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 23 Jun 2011 19:52:28 -0700 (PDT) Message-ID: <4E03FBD4.2050000@gmail.com> Date: Thu, 23 Jun 2011 22:52:04 -0400 From: Matthew Finkel User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110531 Thunderbird/3.1.10 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] [OT/rant] Self-replicating programmer stupidity References: In-Reply-To: X-Enigmail-Version: 1.1.2 OpenPGP: id=A946BBCF Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Archives-Salt: X-Archives-Hash: 7d2b8738f2da255cfce2721fba29102b On 06/23/11 19:54, walt wrote: > I've been reading the monthly security bulletin from sans.org for > several years. During that time I've noticed some recurring themes, > including multiple appearances from Adobe products like Flash. > > Another recurring theme is ftp servers (of which there are dozens) > like this month's report: > > Platform: Cross Platform > Title: Wing FTP Server "ssh public key" Authentication Security Bypass > Vulnerability > Description: Wing FTP Server is a secure file server for Windows, Linux, > Mac, FreeBSD and Solaris. Wing FTP Server is exposed to a security bypass > issue that affects the SSH authentication mechanism. Versions prior to > Wing FTP Server 3.8.8 are affected. > Ref: http://www.securityfocus.com/bid/48335/info > > Mind you, this is the first time I've seen Wing mentioned, but over the > years there have been dozens of other ftp servers cited for other flaws > in security. > > My question: WTF uses these poorly written ftp servers? Why do they > exist? Who asked for them? Who wrote the code, and why? > > My tentative guess: either evil programmers, or incompetent programmers. > (I suspect the intersection of the two sets is very small.) > > Many years ago when I was still using M$ Windows I wrote my own hex > editor in Visual Basic. I can't explain why I chose to do it, other > than as an exercise to learn Visual Basic. (I haven't used it since.) > > I'm quite certain that my hex editor would flunk even the most basic > security tests today because I wasn't programming with security in mind. > (In other words, I was the rankest of amateurs.) > > I'm running out of indignation now, and going to bed, but I'd welcome > other indignant comments :) Programming secure software is not the easiest task to master. It takes a lot of planning and enough knowledge about the components you're using to know exactly how they all work together, as well as how they are not supposed to be used. In many cases, vulnerabilities originate from lack of knowledge in novice programmers. Other's are just something that was overlooked in the planning stage, which becomes much more possible as the size of the program increases. And, of course, sometimes people make a mistake. As for the ftp(, etc) programs, this is what you get in the FOSS world. I'm not referring to the programs with security hole, but to the abundance of available programs of all shapes and sizes. Many are great, some are not; but you have the option to pick and choose which work best for you. The same is generally true for proprietary software too. No one necessarily asked for them, but it was a choice the dev made to spend the time to write the program. It's possible they purposefully implemented a flawed security model, but I don't *think* that's usually the case (but I could just be very naive). Personally, I don't know why anyone would pay for software anymore, but that's just me :-P