Insecurity Forevar! [was: Mu [prior to that: How worse is the Shellshock bash bug than Heartbleed?]]
On 10/5/14, Georgi Guninski <guninski@guninski.com> wrote:
... ok, i won't argue :)
one last beating of this dead horse: "The recommended practice of blowing away the environment before calling a shell goes back to Garfinkel & Spafford's 1991 seminal Practical Unix Security (or at least the 1996 2nd ed., Practical Unix & Internet Security). It's in there TWICE it is so basic." - https://docstrange.livejournal.com/95142.html also relevant, "Dear clueless assholes: stop bashing bash and GNU... You people are pieces of shit. I am disgusted..." - https://weev.livejournal.com/409835.html "These bugs that happen, these mistakes in software that lead to vulnerabilities, they aren’t one-off problems. They’re systemic. There are patterns to them and patterns to how people take advantage of them. But it isn’t in any one particular company’s interest to dump a pile of their own resources into fixing even one of the problems, much less dump a pile of resources into an engineering effort to fight the pattern... They’ve got even less incentive to fix entire classes of vulnerabilities across the board. Same goes for everybody else in the game... it’s worse than a tragedy of the commons, it’s a race to the bottom." - https://medium.com/message/how-i-explained-heartbleed-to-my-therapist-4c1dbc...
On Sun, Oct 12, 2014 at 05:35:15PM -0700, coderman wrote:
On 10/5/14, Georgi Guninski <guninski@guninski.com> wrote:
... ok, i won't argue :)
one last beating of this dead horse:
"The recommended practice of blowing away the environment before calling a shell goes back to Garfinkel & Spafford's 1991 seminal
lol, look at the warez almost all people are using. if you follow all such advices you'd better not power it on. note to myself: stay away from forks of this thread...
Practical Unix Security (or at least the 1996 2nd ed., Practical Unix & Internet Security). It's in there TWICE it is so basic." - https://docstrange.livejournal.com/95142.html
also relevant, "Dear clueless assholes: stop bashing bash and GNU... You people are pieces of shit. I am disgusted..." - https://weev.livejournal.com/409835.html
"These bugs that happen, these mistakes in software that lead to vulnerabilities, they aren’t one-off problems. They’re systemic. There are patterns to them and patterns to how people take advantage of them. But it isn’t in any one particular company’s interest to dump a pile of their own resources into fixing even one of the problems, much less dump a pile of resources into an engineering effort to fight the pattern... They’ve got even less incentive to fix entire classes of vulnerabilities across the board. Same goes for everybody else in the game... it’s worse than a tragedy of the commons, it’s a race to the bottom." - https://medium.com/message/how-i-explained-heartbleed-to-my-therapist-4c1dbc...
participants (2)
-
coderman
-
Georgi Guninski