Risk: adopting FS code without adopting FS practices

IWETHEY v. 0.3.0 | TODO

1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User

Welcome to IWETHEY!

Post #32,287

Picture of kmself

3/15/02 1:45:18 AM

Risk: adopting FS code without adopting FS practices

Microsoft has adopted and appropriate free software code. It's failed to adopt free software practices. The risk here is rather similar to the one pointed out (with a certain charming amount of repetition) by our very own LAME, ASD some years ago: the secretary's got the source code.

I was watching an NT 4.0 WS system here boot the other day, and something caught my eye. "Build 1381". That's the same build of the NT 4.0 kernel that I had on my desktop in 1997. Proprietary code has a strong tendency to rev very slowly, and a given build of a program may be extant in large numbers for years. Part of the security of free software comes in the quick cycle time -- people outrun the bugs. The other side of the security coin comes from the rich multitude of software versions out there. While it's (sometimes) a nightmare for compatibility, it also makes the cracker's job more difficult -- scripted attacks are likely to work against only a small number of vulnerable systems, just by virtue of the changing target syndrome.

I'll wager that a significant portion of Debian systems are already revved past this week's zlib flaw. I'll also wager that in three years, a significant portion of proprietary software systems based on zlib code will continue to exhibit the exploit, while the GNU/Linux and other free software systems have moved far beyond it.

Food for thought: you can't half adopt FS.

-- Karsten M. Self [link|mailto:kmself@ix.netcom.com|kmself@ix.netcom.com] [link|http://kmself.ix.netcom.com/|[link|http://kmself.ix.netcom.com/|http://kmself.ix.netcom.com/]] What part of "gestalt" don't you understand?

Post #32,417

3/15/02 9:37:37 PM

But note that MS doesn't update the build #'s

I don't know the details, but I've noticed that updating the system via service packs doesn't change the build number; it's the same build number (1381) followed by the Service Pack #.

I'm not sure where other OS 'upgrades' (such as installing later versions of IE) are tracked.

Tony

zlib advisory - (ben_tilly) - (16) - March 11, 2002, 05:46:41 PM EST

Re: zlib advisory - a similar link. - (a6l6e6x) - March 11, 2002, 11:25:28 PM EST

Remedy? - (kmself) - (3) - March 12, 2002, 12:12:38 AM EST

Erg. - (static) - March 12, 2002, 12:27:49 AM EST

Well OpenBSD was never vulnerable. :-) - (ben_tilly) - (1) - March 12, 2002, 12:41:28 AM EST

OpenBSD as server - (kmself) - March 12, 2002, 01:51:32 PM EST

Re: zlib advisory - (pwhysall) - (1) - March 12, 2002, 02:29:24 AM EST

Re: zlib and up2date - (a6l6e6x) - March 12, 2002, 02:29:21 PM EST

Microsoft vulnerable too - uses zlib code - (admin) - (2) - March 14, 2002, 10:07:28 PM EST

Risk: adopting FS code without adopting FS practices - (kmself) - (1) - March 15, 2002, 01:45:18 AM EST

But note that MS doesn't update the build #'s - (tonytib) - March 15, 2002, 09:37:37 PM EST

I'm confused about the entire thing - (wharris2) - (5) - March 14, 2002, 11:08:50 PM EST

DoS is an attack - (ben_tilly) - (4) - March 14, 2002, 11:38:03 PM EST

Re: DoS is an attack - (wharris2) - (3) - March 15, 2002, 12:08:18 AM EST

Then I suggest... - (Yendor) - (1) - March 15, 2002, 09:56:32 AM EST

I've run into double-free problems before - (wharris2) - March 16, 2002, 10:05:44 AM EST

It's a known class of exploit... - (kmself) - March 15, 2002, 02:12:46 PM EST

China?
68 ms