From: Eugen Leitl (eugen@leitl.org)
Date: Tue Sep 17 2002 - 02:28:01 MDT
On Mon, 16 Sep 2002, Wei Dai wrote:
> I wonder if anyone is as disturbed as I am with the recent news of
> remote exploitable holes in OpenSSH and OpenSSL that allow attackers
> to run arbitrary code. When open-source software whose only purpose is
Don't be disturbed. Software is buggy. Depending on the skills of the
authors, the language used, and how many critical eyeballs the code sees,
and how long it exists the code contains more or less errors. Some
software out there is pretty good. Most is awful, yes.
> to improve computer security actually make it worse, I have to wonder
I do not understand where the 'worse' comes from. I have no problems with
either OpenSSH or Apache/mod_ssl. A vulnerability gets announced, it is
typically fixed the other day, or soon after. Do look how Redmond handles
vulnerabilities. Security by obscurity isn't.
> if security is possible at all. Has anyone thought about what causes
Security is a continuum. It's not 'I have security' or 'I don't'.
> this seeming inability of human beings to write secure software, and
You just found out? Wow.
> what its implications are for the future?
Why, making computers grow their own code. Isn't it obvious?
> Here are some of the security advisories:
> http://online.securityfocus.com/advisories/4241
> http://online.securityfocus.com/advisories/4316
This archive was generated by hypermail 2.1.5 : Sat Nov 02 2002 - 09:17:06 MST