From owner-freebsd-security  Wed Jul 22 15:02:43 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id PAA05174
          for freebsd-security-outgoing; Wed, 22 Jul 1998 15:02:43 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from homeport.org (lighthouse.homeport.org [205.136.65.198])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA05158
          for <security@FreeBSD.ORG>; Wed, 22 Jul 1998 15:02:34 -0700 (PDT)
          (envelope-from adam@homeport.org)
Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id SAA28072; Wed, 22 Jul 1998 18:01:15 -0400 (EDT)
From: Adam Shostack <adam@homeport.org>
Message-Id: <199807222201.SAA28072@homeport.org>
Subject: Re: Projects to improve security (related to C)
In-Reply-To: <Pine.NEB.3.96.980722162742.24981A-100000@brooklyn.slack.net> from andrewr at "Jul 22, 98 04:29:10 pm"
To: andrewr@slack.net (andrewr)
Date: Wed, 22 Jul 1998 18:01:15 -0400 (EDT)
Cc: security@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL27 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


| > The biggest problem before was that many people doing the audit didn't
| > know what to look for, so missed a lot of things.....
| 
| Which is why I am going to ask people who I know for sure know what to
| look for. 


	Could I suggest that rather than insist on getting skilled
people, you consider offering help to volunteers?  Something like my
review guidelines (which need more on temp races) can let someone
without a lot of knowlege contribute first pass, so you can focus your
good people on the uglier code.  A complete audit takes years of work
by a few highly skilled and dedicated people, but reading the Open-
cvs logs and seeing if the changed code exists in Free- is not a high
skill task.  And its where a lot of high payoff results will be.

	You might also want to listen to the linux audit project
folks, to see how they're addressing things.  The list is ezmlm run at
security-audit-subscribe@ferret.lmh.ox.ac.uk

Adam




-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message