[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OpenSSH: What went wrong?



On Sat, 29 Jun 2002 04:26:23 +1000 (Australia/ACT)
"Darren Reed" <avalon_(_at_)_coombs_(_dot_)_anu_(_dot_)_edu_(_dot_)_au> wrote:

> There have been lots of shouting and so forth in the past about how
> OpenSSH/BSD is auditted and how the team of coders is so security
> conscious, etc, but then something like this happens.

Shit happens. If you're not prepared for that then it's your own
fault.

> What I was really looking for was some sort of statement saying that
> all new code would be checked more closely, not some cop-out about
> how this was a new kind of problem or anything else.

If it was indeed a new thing they should NOT say so and instead make
some empty statement about how things are going to be better from now on?
Saying != doing.

> Ok, the software might be for free and it might be a case of you get
> what you pay for, BUT, you are "selling" it with a lot of hype and
> building a lot of expectation in the user community.

As always, use your head and dont buy the hype. If you do, tough luck.

> Lots of people's security depends on this (openssh) so it's important
> for me and a lot of others that someone gets it right.

Your security should not rely on the infallability of a single product.

> A proper code audit would have picked it up.

Bullshit. Auditing does not gurantee that there wont be any bugs it only makes it more
likely you'll find them.
It is impossible to write bug free code (with the possible exception of "Hello World")
and equally impossible for an audit to find very possible bug, all the time.

---
Lars Hansson