me, 2.0: jose nazario
beauty and the street
google code search
ok, now that i've filed a
by using google codesearch, i hope
you see the point: we have a moderately powerful, very large-scale code
comber. arm yourself with some regular expressions and voila, you can spot bugs in
dozens of projects at once. some of these may be really nasty, exploitable bugs. most
are just minor annoyances.
i intentionally left out a boatload of security bugs i've found, including off by ones,
web application bugs, an authentication bypass in pam_smb,
what may be another security bug in another product, and more. i'm trying to be responsible
when i do this. these bugs here aren't very sexy, they're minor reliability or functionality
bugs. but, one of those in the wrong place can lead to a security issue, and it often does.
like i said in an
earlier post, find a lot of bugs and fix 'em, and a few will be security related. the
worst you wind up with is more reliable software, and that's not a bad thing. this has
historically been the mantra of OpenBSD, and
it has usually worked.
i'm not going to run off to bugtraq and file a slew of reports, i've chosen instead to
work with the developers of the possible security bugs (and really all bugs) that i've
found and get those issues fixed. now that i have been working for a commercial software
development house for many years, i see how hard it is to get everything right in development
and testing. stuff slips through the cracks, and the best thing you can do is respect your
peers and work with them to fix minor nits. after all, i write very buggy code myself, we
update: dang, the mozilla bug i found was already known. my bug
on it was the second duplicate!
next Saturday, Oct 07, 2006 @ 09:05pm |
previous Saturday, Oct 07, 2006 @ 02:26pm
Last modified: Saturday, Oct 07, 2006 @ 02:38pm
copyright © 2002-2005 jose nazario, all rights reserved.