From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1QZuxk-0001T3-MU for garchives@archives.gentoo.org; Fri, 24 Jun 2011 01:13:37 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 29F381C0A1; Fri, 24 Jun 2011 01:10:18 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id D3B451C0A1 for ; Fri, 24 Jun 2011 01:10:18 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id 45C9D1B4016 for ; Fri, 24 Jun 2011 01:10:18 +0000 (UTC) X-Virus-Scanned: by amavisd-new using ClamAV at gentoo.org X-Spam-Score: -4.775 X-Spam-Level: X-Spam-Status: No, score=-4.775 required=5.5 tests=[AWL=0.783, BAYES_00=-2.599, FS_REPLICA=1.041, RCVD_IN_DNSWL_MED=-4] Received: from smtp.gentoo.org ([127.0.0.1]) by localhost (smtp.gentoo.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tdNmFCkOeE7x for ; Fri, 24 Jun 2011 01:10:09 +0000 (UTC) Received: from lo.gmane.org (lo.gmane.org [80.91.229.12]) by smtp.gentoo.org (Postfix) with ESMTP id 314DA1B4011 for ; Fri, 24 Jun 2011 01:10:07 +0000 (UTC) Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1QZuuL-0000Yb-BG for gentoo-user@gentoo.org; Fri, 24 Jun 2011 03:10:05 +0200 Received: from c-98-215-231-30.hsd1.in.comcast.net ([98.215.231.30]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 24 Jun 2011 03:10:05 +0200 Received: from reader by c-98-215-231-30.hsd1.in.comcast.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 24 Jun 2011 03:10:05 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-user@lists.gentoo.org From: Harry Putnam Subject: [gentoo-user] Re: [OT/rant] Self-replicating programmer stupidity Date: Thu, 23 Jun 2011 20:05:58 -0500 Organization: Still searching... Message-ID: <8762nwavih.fsf@newsguy.com> References: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: c-98-215-231-30.hsd1.in.comcast.net User-Agent: Gnus/5.110018 (No Gnus v0.18) Emacs/24.0.50 (gnu/linux) Cancel-Lock: sha1:JVW8VK81fnP//hNBxePQZGs/C1E= X-Archives-Salt: X-Archives-Hash: 691fd6fe4477c4c05491239d45a65643 walt writes: > I've been reading the monthly security bulletin from sans.org for > several years. During that time I've noticed some recurring themes, > including multiple appearances from Adobe products like Flash. > > Another recurring theme is ftp servers (of which there are dozens) > like this month's report: > > Platform: Cross Platform > Title: Wing FTP Server "ssh public key" Authentication Security Bypass > Vulnerability > Description: Wing FTP Server is a secure file server for Windows, Linux, > Mac, FreeBSD and Solaris. Wing FTP Server is exposed to a security bypass > issue that affects the SSH authentication mechanism. Versions prior to > Wing FTP Server 3.8.8 are affected. > Ref: http://www.securityfocus.com/bid/48335/info > > Mind you, this is the first time I've seen Wing mentioned, but over the > years there have been dozens of other ftp servers cited for other flaws > in security. > > My question: WTF uses these poorly written ftp servers? Why do they > exist? Who asked for them? Who wrote the code, and why? > > My tentative guess: either evil programmers, or incompetent programmers. > (I suspect the intersection of the two sets is very small.) > > Many years ago when I was still using M$ Windows I wrote my own hex > editor in Visual Basic. I can't explain why I chose to do it, other > than as an exercise to learn Visual Basic. (I haven't used it since.) > > I'm quite certain that my hex editor would flunk even the most basic > security tests today because I wasn't programming with security in mind. > (In other words, I was the rankest of amateurs.) > > I'm running out of indignation now, and going to bed, but I'd welcome > other indignant comments :) Egad, such foolishness. What's wrong with them... (How did I do for indignant? ; ) )