public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-user] [OT/rant] Self-replicating programmer stupidity
@ 2011-06-23 23:54 walt
  2011-06-24  1:05 ` [gentoo-user] " Harry Putnam
                   ` (3 more replies)
  0 siblings, 4 replies; 7+ messages in thread
From: walt @ 2011-06-23 23:54 UTC (permalink / raw
  To: gentoo-user

I've been reading the monthly security bulletin from sans.org for
several years.  During that time I've noticed some recurring themes,
including multiple appearances from Adobe products like Flash.

Another recurring theme is ftp servers (of which there are dozens)
like this month's report:

Platform: Cross Platform
Title: Wing FTP Server "ssh public key" Authentication Security Bypass
Vulnerability
Description: Wing FTP Server is a secure file server for Windows, Linux,
Mac, FreeBSD and Solaris. Wing FTP Server is exposed to a security bypass
issue that affects the SSH authentication mechanism. Versions prior to
Wing FTP Server 3.8.8 are affected.
Ref: http://www.securityfocus.com/bid/48335/info

Mind you, this is the first time I've seen Wing mentioned, but over the
years there have been dozens of other ftp servers cited for other flaws
in security.

My question:  WTF uses these poorly written ftp servers?  Why do they
exist?  Who asked for them?  Who wrote the code, and why?

My tentative guess: either evil programmers, or incompetent programmers.
(I suspect the intersection of the two sets is very small.)

Many years ago when I was still using M$ Windows I wrote my own hex
editor in Visual Basic.  I can't explain why I chose to do it, other
than as an exercise to learn Visual Basic.  (I haven't used it since.)

I'm quite certain that my hex editor would flunk even the most basic
security tests today because I wasn't programming with security in mind.
(In other words, I was the rankest of amateurs.)

I'm running out of indignation now, and going to bed, but I'd welcome
other indignant comments :)




^ permalink raw reply	[flat|nested] 7+ messages in thread

* [gentoo-user] Re: [OT/rant] Self-replicating programmer stupidity
  2011-06-23 23:54 [gentoo-user] [OT/rant] Self-replicating programmer stupidity walt
@ 2011-06-24  1:05 ` Harry Putnam
  2011-06-24  2:52 ` [gentoo-user] " Matthew Finkel
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 7+ messages in thread
From: Harry Putnam @ 2011-06-24  1:05 UTC (permalink / raw
  To: gentoo-user

walt <w41ter@gmail.com> writes:

> I've been reading the monthly security bulletin from sans.org for
> several years.  During that time I've noticed some recurring themes,
> including multiple appearances from Adobe products like Flash.
>
> Another recurring theme is ftp servers (of which there are dozens)
> like this month's report:
>
> Platform: Cross Platform
> Title: Wing FTP Server "ssh public key" Authentication Security Bypass
> Vulnerability
> Description: Wing FTP Server is a secure file server for Windows, Linux,
> Mac, FreeBSD and Solaris. Wing FTP Server is exposed to a security bypass
> issue that affects the SSH authentication mechanism. Versions prior to
> Wing FTP Server 3.8.8 are affected.
> Ref: http://www.securityfocus.com/bid/48335/info
>
> Mind you, this is the first time I've seen Wing mentioned, but over the
> years there have been dozens of other ftp servers cited for other flaws
> in security.
>
> My question:  WTF uses these poorly written ftp servers?  Why do they
> exist?  Who asked for them?  Who wrote the code, and why?
>
> My tentative guess: either evil programmers, or incompetent programmers.
> (I suspect the intersection of the two sets is very small.)
>
> Many years ago when I was still using M$ Windows I wrote my own hex
> editor in Visual Basic.  I can't explain why I chose to do it, other
> than as an exercise to learn Visual Basic.  (I haven't used it since.)
>
> I'm quite certain that my hex editor would flunk even the most basic
> security tests today because I wasn't programming with security in mind.
> (In other words, I was the rankest of amateurs.)
>
> I'm running out of indignation now, and going to bed, but I'd welcome
> other indignant comments :)

Egad, such foolishness.  What's wrong with them...

(How did I do for indignant?  ; ) )




^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [gentoo-user] [OT/rant] Self-replicating programmer stupidity
  2011-06-23 23:54 [gentoo-user] [OT/rant] Self-replicating programmer stupidity walt
  2011-06-24  1:05 ` [gentoo-user] " Harry Putnam
@ 2011-06-24  2:52 ` Matthew Finkel
  2011-06-24 14:18   ` Bill Longman
  2011-06-24 15:49 ` Arttu V.
  2011-06-24 20:02 ` [gentoo-user] " Paul Hartman
  3 siblings, 1 reply; 7+ messages in thread
From: Matthew Finkel @ 2011-06-24  2:52 UTC (permalink / raw
  To: gentoo-user

On 06/23/11 19:54, walt wrote:
> I've been reading the monthly security bulletin from sans.org for
> several years.  During that time I've noticed some recurring themes,
> including multiple appearances from Adobe products like Flash.
>
> Another recurring theme is ftp servers (of which there are dozens)
> like this month's report:
>
> Platform: Cross Platform
> Title: Wing FTP Server "ssh public key" Authentication Security Bypass
> Vulnerability
> Description: Wing FTP Server is a secure file server for Windows, Linux,
> Mac, FreeBSD and Solaris. Wing FTP Server is exposed to a security bypass
> issue that affects the SSH authentication mechanism. Versions prior to
> Wing FTP Server 3.8.8 are affected.
> Ref: http://www.securityfocus.com/bid/48335/info
>
> Mind you, this is the first time I've seen Wing mentioned, but over the
> years there have been dozens of other ftp servers cited for other flaws
> in security.
>
> My question:  WTF uses these poorly written ftp servers?  Why do they
> exist?  Who asked for them?  Who wrote the code, and why?
>
> My tentative guess: either evil programmers, or incompetent programmers.
> (I suspect the intersection of the two sets is very small.)
>
> Many years ago when I was still using M$ Windows I wrote my own hex
> editor in Visual Basic.  I can't explain why I chose to do it, other
> than as an exercise to learn Visual Basic.  (I haven't used it since.)
>
> I'm quite certain that my hex editor would flunk even the most basic
> security tests today because I wasn't programming with security in mind.
> (In other words, I was the rankest of amateurs.)
>
> I'm running out of indignation now, and going to bed, but I'd welcome
> other indignant comments :)
Programming secure software is not the easiest task to master. It takes
a lot of planning and enough knowledge about the components you're using
to know exactly how they all work together, as well as how they are not
supposed to be used. In many cases, vulnerabilities originate from lack
of knowledge in novice programmers. Other's are just something that was
overlooked in the planning stage, which becomes much more possible as
the size of the program increases. And, of course, sometimes people make
a mistake.

As for the ftp(, etc) programs, this is what you get in the FOSS world.
I'm not referring to the programs with security hole, but to the
abundance of available programs of all shapes and sizes. Many are great,
some are not; but you have the option to pick and choose which work best
for you. The same is generally true for proprietary software too. No one
necessarily asked for them, but it was a choice the dev made to spend
the time to write the program. It's possible they purposefully
implemented a flawed security model, but I don't *think* that's usually
the case (but I could just be very naive).

Personally, I don't know why anyone would pay for software anymore, but
that's just me :-P



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [gentoo-user] [OT/rant] Self-replicating programmer stupidity
  2011-06-24  2:52 ` [gentoo-user] " Matthew Finkel
@ 2011-06-24 14:18   ` Bill Longman
  0 siblings, 0 replies; 7+ messages in thread
From: Bill Longman @ 2011-06-24 14:18 UTC (permalink / raw
  To: gentoo-user

On 06/23/2011 07:52 PM, Matthew Finkel wrote:
> Programming secure software is not the easiest task to master. It takes
> a lot of planning and enough knowledge about the components you're using
> to know exactly how they all work together, as well as how they are not
> supposed to be used. In many cases, vulnerabilities originate from lack
> of knowledge in novice programmers. Other's are just something that was
> overlooked in the planning stage, which becomes much more possible as
> the size of the program increases. And, of course, sometimes people make
> a mistake.

It's getting easier to write "syntactically" secure code but you can't
write "semantically" secure code unless you understand several domains
simultaneously. There's been enough foul-ups to make the current
generation of tools enforce syntactic security. But just because I *have
to* use component XYZ in a function call, doesn't mean I have to make
that call with *any* semblance of intelligence about the current state
and environment. In other words, as Matthew wrote above, it ain't always
that easy. You can bolt the doors and windows, but if your walls are
merely sheetrock, a well placed foot will get you in.



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [gentoo-user] [OT/rant] Self-replicating programmer stupidity
  2011-06-23 23:54 [gentoo-user] [OT/rant] Self-replicating programmer stupidity walt
  2011-06-24  1:05 ` [gentoo-user] " Harry Putnam
  2011-06-24  2:52 ` [gentoo-user] " Matthew Finkel
@ 2011-06-24 15:49 ` Arttu V.
  2011-06-24 21:04   ` [gentoo-user] " walt
  2011-06-24 20:02 ` [gentoo-user] " Paul Hartman
  3 siblings, 1 reply; 7+ messages in thread
From: Arttu V. @ 2011-06-24 15:49 UTC (permalink / raw
  To: gentoo-user

On 6/24/11, walt <w41ter@gmail.com> wrote:
> My question:  WTF uses these poorly written ftp servers?  Why do they
> exist?  Who asked for them?  Who wrote the code, and why?

Maybe they're all derivatives of a single codebase with lots of bugs
and a MIT/BSD/Apache-style license?

-- 
Arttu V.



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [gentoo-user] [OT/rant] Self-replicating programmer stupidity
  2011-06-23 23:54 [gentoo-user] [OT/rant] Self-replicating programmer stupidity walt
                   ` (2 preceding siblings ...)
  2011-06-24 15:49 ` Arttu V.
@ 2011-06-24 20:02 ` Paul Hartman
  3 siblings, 0 replies; 7+ messages in thread
From: Paul Hartman @ 2011-06-24 20:02 UTC (permalink / raw
  To: gentoo-user

On Thu, Jun 23, 2011 at 6:54 PM, walt <w41ter@gmail.com> wrote:
> My question:  WTF uses these poorly written ftp servers?  Why do they
> exist?  Who asked for them?  Who wrote the code, and why?
>
> My tentative guess: either evil programmers, or incompetent programmers.
> (I suspect the intersection of the two sets is very small.)

I think you get the one-man-Windows-shareware kind of projects, which
are almost surely going to have holes caused by
incompetence/inexperience. You have academic projects which are mostly
abandoned or left in a state of disrepair (like wu-ftpd, remember
that?). Then you get the huge-corporation kind of proejcts which have
holes based on rushing to meet deadlines, undocumented decade-old
legacy mystery code that nobody knows about, managers who don't care
about security until after a bug is found, etc.



^ permalink raw reply	[flat|nested] 7+ messages in thread

* [gentoo-user] Re: [OT/rant] Self-replicating programmer stupidity
  2011-06-24 15:49 ` Arttu V.
@ 2011-06-24 21:04   ` walt
  0 siblings, 0 replies; 7+ messages in thread
From: walt @ 2011-06-24 21:04 UTC (permalink / raw
  To: gentoo-user

On 06/24/2011 08:49 AM, Arttu V. wrote:
> On 6/24/11, walt <w41ter@gmail.com> wrote:
>> My question:  WTF uses these poorly written ftp servers?  Why do they
>> exist?  Who asked for them?  Who wrote the code, and why?
> 
> Maybe they're all derivatives of a single codebase with lots of bugs
> and a MIT/BSD/Apache-style license?

I like it :)




^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2011-06-24 21:07 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-06-23 23:54 [gentoo-user] [OT/rant] Self-replicating programmer stupidity walt
2011-06-24  1:05 ` [gentoo-user] " Harry Putnam
2011-06-24  2:52 ` [gentoo-user] " Matthew Finkel
2011-06-24 14:18   ` Bill Longman
2011-06-24 15:49 ` Arttu V.
2011-06-24 21:04   ` [gentoo-user] " walt
2011-06-24 20:02 ` [gentoo-user] " Paul Hartman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox