Dailydave mailing list archives
Samba, Google, and The Audacity of Hope
From: Dave Aitel <dave () immunityinc com>
Date: Fri, 11 Apr 2008 11:19:30 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I think launching the Google Application Engine is pretty much an audacity of hope kind of event - the zlib bug in Python on the day it came out is just the tip of the tip of the iceberg as far as that sort of bug goes. Did they really think you can sandbox someone inside cPython by removing local file access and the socket module? Perhaps Guido sat down and audited it for bugs and just missed one. One thing I'm learning from that is that "auditing your code" is not a security solution. It's a stop-gap that is hugely expensive and sometimes a good learning solution. Its goal is to help you produce automated solutions to find similar bugs, and guide your technology decisions to more secure platforms. Because what DOES work is moving to a more secure platform. In Google's case, IronPython on Mono is probably their best solution. But there are lots of other places this is important that people ignore too. For example, you can own your Asus Eee PC out of the box with Samba. I understand they need to have CIFS support, and Samba is considered the top of the line. But Eee PC customers don't need all the features of Samba. They just need something to mount drives and share files. There's lots of Python/Ruby/Perl stacks that can do all these things and don't have buffer overflows. Also, Samba is a nightmare to configure, so picking another stack would have lots of side benefits. It's not like there won't be another overflow in Samba someday soon. Installing Samba exposed to the world on your consumer-linux without a nice way to update it is very "hopeful". If someone wants to build a nice GUI and Ubuntu package based on the CANVAS SMBServer/client code, we'd donate that code to GPLv3. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH/4GBtehAhL0gheoRAvyEAJ4zDa54oat1XcLtV/47m862cOK/oQCeLWmB gRbBjDqIoLF73jKmpykH8p0= =wllt -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Samba, Google, and The Audacity of Hope Dave Aitel (Apr 11)
- Re: Samba, Google, and The Audacity of Hope jf (Apr 11)
- Re: Samba, Google, and The Audacity of Hope dominique . brezinski (Apr 11)
- Re: Samba, Google, and The Audacity of Hope jf (Apr 11)