From owner-freebsd-security Tue Feb 11 03:05:40 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id DAA14911 for security-outgoing; Tue, 11 Feb 1997 03:05:40 -0800 (PST) Received: from pdx1.world.net (pdx1.world.net [192.243.32.18]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id DAA14872 for ; Tue, 11 Feb 1997 03:04:18 -0800 (PST) From: proff@suburbia.net Received: from suburbia.net (suburbia.net [203.4.184.1]) by pdx1.world.net (8.7.5/8.7.3) with SMTP id DAA22186 for ; Tue, 11 Feb 1997 03:05:02 -0800 (PST) Received: (qmail 4924 invoked by uid 110); 11 Feb 1997 11:03:07 -0000 Message-ID: <19970211110307.4923.qmail@suburbia.net> Subject: Re: Don't fulminate, be productive In-Reply-To: from Dev Chanchani at "Feb 10, 97 05:02:56 pm" To: dev@trifecta.com (Dev Chanchani) Date: Tue, 11 Feb 1997 22:03:06 +1100 (EST) Cc: security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > On Mon, 10 Feb 1997, Warner Losh wrote: > > > I'd wager that about 95% of the security problems in FreeBSD could > > solved by going over the OpenBSD cvs logs carefully and applying > > those patches. Theo and co have been very careful in their audits of > > their programs. They have, but I prefer to not examine the OpenBSD base until after auditing the FreeBSD base personally, least it give you a false sense of security. I'm not saying Theo et al haven't done a lot of work, but when doing security analysis an uncontaminated perspective is important. Also, I strongly disagree with the egrep 'strcpy|sprintf' etc approach. Line by line code-flow-review is the only way to do it. -- Prof. Julian Assange |If you want to build a ship, don't drum up people |together to collect wood and don't assign them tasks proff@iq.org |and work, but rather teach them to long for the endless proff@gnu.ai.mit.edu |immensity of the sea. -- Antoine de Saint Exupery