From owner-freebsd-security Thu Mar 11 16:53:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from aniwa.sky (p46-max12.wlg.ihug.co.nz [216.100.145.46]) by hub.freebsd.org (Postfix) with ESMTP id 3FEA0152F0 for ; Thu, 11 Mar 1999 16:53:16 -0800 (PST) (envelope-from andrew@squiz.co.nz) Received: from aniwa.sky (localhost [127.0.0.1]) by aniwa.sky (8.9.1a/8.9.1) with ESMTP id NAA09299; Fri, 12 Mar 1999 13:52:21 +1300 (NZDT) Message-Id: <199903120052.NAA09299@aniwa.sky> X-Mailer: exmh version 2.0.2 2/24/98 To: Nicholas Brawn Cc: mike@seidata.com, andrewr , freebsd-security@FreeBSD.ORG, jbowie@slack.net Subject: Re: disapointing security architecture In-reply-to: Your message of "Fri, 12 Mar 1999 09:31:52 +1100." <199903120830.TAA28219@goblin.citadel.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 12 Mar 1999 13:52:21 +1300 From: Andrew McNaughton Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I'm also interested. However, if I recall correctly, the problem last time > was that nobody actually sat down and did the work. There were plenty of > ideas, but when it came to the crunch, nobody wanted to put in the effort. > > Nick As I recall, discussion turned to concerns over who was qualified to do the work, which seemed rather silly. No security auditing project is going to be complete. No auditor is going to be perfect. Every bit counts. Seems to me that one of the most useful things that could be set up would be a repository of information on what's been checked when by who, and what people have suggested needs to be gone over. I imagine this would be something similar to gnats, or be an adaption of that package. A repository where you could reports identifying problems, suggesting solutions, describing auditing which has been done etc. Should be structured so that you can goto the repository and find out all that's been done on a piece of code you're interested in. I'm interested by this project, but realistically, I can't commit much time to it. Every so often though I check out something that concerns me and as things are whatever information I gather tends not to be made available to others unless it amounts to a confirmed vulnerability. For instance, last year I spotted the buffer overflow potential in the sshd 1.2.25 logging routine which was later the subject of much discussion in bugtraq. I didn't have the time to go through and check out all the places in the code where the routine was called from, and the ones I did check seemed OK, so it didn't go anywhere. An auditing effort needs to have a way to make use of preliminary results like that. There's a bit of work involved in setting up a repository for this sort of information, but it allows the breaking down of the hugs task of auditing an OS into a lot of small tasks that can nonetheless still be part of a whole project. Andrew McNaughton -- ----------- Andrew McNaughton andrew@squiz.co.nz http://www.newsroom.co.nz/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message