Full Disclosure mailing list archives
Re: Evidence of a ISC being hacked?
From: Valdis.Kletnieks () vt edu
Date: Fri, 25 Jun 2004 13:03:49 -0400
On Thu, 24 Jun 2004 21:12:46 PDT, VX Dude <vxdude2003 () yahoo com> said:
"...and the build broke on OTHER systems because there wasn't a vsnprintf() in the vendor libc - and your boss is telling you TO GET THE THING TO BUILD, NOW.... The programmer who is willing to swear on a Bible that they have *never* in their professional careers done something like this because they were in a time crunch is either a newbie or a complete liar." The word "boss" give me the illusion of some profit being made. Once again I could just be paranoid.
Remember that the majority of code in this world is *still* custom-written applications code inside corporations. And I was discussing the *GENERAL* scenario of how such things happen. If "boss" offends you, replace it with "open source project leader". You want an example in the open source world, wander over to the Gaim project on SourceForge, where within the last 48 hours or so, the Yahoo people changed their protocol again, leaving all the Trillian and Gaim users unable to connect to Yahoo. Awful lot of duplicate bug reports filed, and "me-too" followups to bug reports, and so on. That's the sort of time when corners get cut, code auditing may not be quite as stringent, and so on. In fact, the *last* time that Yahoo changed the protocol, the resulting patch flurry ended up with a buffer overflow in Gaim and Trillian (found by Stefan Messier, if I remember right), and the lack of proper paperwork resulted in some GPL questions against Trillian.... (I'm only picking on the Gaim project because I'm aware of it, partly because my fix for an earlier Gaim bug ended up dragged into the Gaim/Trillian GPL mess... All you fans of other open-source projects, quit smirking - someday *you*'ll be in that same position - I guarantee it, based on a quarter-century of observing this industry... ;)
Apparently the idea of people patching open source products just shows how much of a newbs we are.
See above... just because it's open source doesn't mean it doesn't have those same problems.
Attachment:
_bin
Description:
Current thread:
- New malware to infect IIS and from there jump to clients, (continued)
- New malware to infect IIS and from there jump to clients Peter Kruse (Jun 24)
- Re: New malware to infect IIS and from there jump to clients Nick FitzGerald (Jun 24)
- SV: New malware to infect IIS and from there jump to clients Peter Kruse (Jun 24)
- Re: SV: New malware to infect IIS and from there jump to clients Duncan Hill (Jun 25)
- Re: SV: New malware to infect IIS and from there jump to clients Nasir Ghaznavi (Jun 25)
- Re: New malware to infect IIS and from there jump to clients Gary Flynn (Jun 25)
- RE: New malware to infect IIS and from there jump to clients joe (Jun 25)
- Re: New malware to infect IIS and from there jump to clients insecure (Jun 25)
- Re: New malware to infect IIS and from there jump to clients Matt Power (Jun 27)
- Re: Evidence of a ISC being hacked? VX Dude (Jun 24)
- Re: Evidence of a ISC being hacked? Valdis . Kletnieks (Jun 25)
- IE exploit runs code from graphics? Larry Seltzer (Jun 24)
- RE: IE exploit runs code from graphics? Heather M. Guse Bryan (Jun 24)
- Re: IE exploit runs code from graphics? Nick FitzGerald (Jun 24)
- RE: IE exploit runs code from graphics? Larry Seltzer (Jun 24)
- Re: IE exploit runs code from graphics? Aditya, ALD [ Aditya Lalit Deshmukh ] (Jun 26)
- Re: IE exploit runs code from graphics? Jimmy Mitchener (Jun 26)
- Re: IE exploit runs code from graphics? st3ng4h (Jun 26)
- Re: IE exploit runs code from graphics? Valdis . Kletnieks (Jun 28)