From owner-freebsd-security Tue Jul 28 12:06:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA18277 for freebsd-security-outgoing; Tue, 28 Jul 1998 12:06:06 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from bytor.rush.net (lynch@bytor.rush.net [209.45.245.145]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA18167 for ; Tue, 28 Jul 1998 12:05:23 -0700 (PDT) (envelope-from lynch@rush.net) Received: from localhost (lynch@localhost) by bytor.rush.net (8.9.1/8.8.8) with SMTP id PAA08900; Tue, 28 Jul 1998 15:04:05 -0400 (EDT) (envelope-from lynch@rush.net) Date: Tue, 28 Jul 1998 15:04:04 -0400 (EDT) From: Pat Lynch To: Adam Shostack cc: andrewr , security@FreeBSD.ORG Subject: Re: Projects to improve security (related to C) In-Reply-To: <199807222201.SAA28072@homeport.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sorry I'm reentering this converstaion so late, I had oral surgery and have been playing catchup ever since... theres a couple of good ideas here.... 1) to assign simple auditing tasks like looking over code for the more obvious things 2) to assign groups parts of the tree to look at as well 3) the more "skilled" coders to work out the hairier bits (which I know myself am not qualified for, but might have a couple of people working for me who are, and use FreeBSD as much as I do) This could be a really good project with a really good project leader and a few coordinators. ___________________________________________________________________________ Pat Lynch lynch@rush.net Systems Administrator Rush Networking ___________________________________________________________________________ On Wed, 22 Jul 1998, Adam Shostack wrote: > > | > The biggest problem before was that many people doing the audit didn't > | > know what to look for, so missed a lot of things..... > | > | Which is why I am going to ask people who I know for sure know what to > | look for. > > > Could I suggest that rather than insist on getting skilled > people, you consider offering help to volunteers? Something like my > review guidelines (which need more on temp races) can let someone > without a lot of knowlege contribute first pass, so you can focus your > good people on the uglier code. A complete audit takes years of work > by a few highly skilled and dedicated people, but reading the Open- > cvs logs and seeing if the changed code exists in Free- is not a high > skill task. And its where a lot of high payoff results will be. > > You might also want to listen to the linux audit project > folks, to see how they're addressing things. The list is ezmlm run at > security-audit-subscribe@ferret.lmh.ox.ac.uk > > Adam > > > > > -- > "It is seldom that liberty of any kind is lost all at once." > -Hume > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message