[dns-operations] "freeware is a recipe for problems"
Douglas Otis
dotis at mail-abuse.org
Thu Sep 24 18:00:47 UTC 2009
On 9/24/09 9:58 AM, Florian Weimer wrote:
> * Stephane Bortzmeyer:
>
>> On Wed, Sep 23, 2009 at 02:13:04AM -0700,
>> Matthew Dempsky<matthew at dempsky.org> wrote
>> a message of 13 lines which said:
>>
>>> and also don't count CVE-2008-1447
>>
>> Indeed: http://www.nominum.com/asset_upload_file741_2661.pdf
>>
>> Now that they've said there never was a vulnerability,
>
> They said "known vulnerability", and probably mean "publicly disclosed
> vulnerability".
Back in the eighties, an application for a secret clearance required
confirmation as to whether you were or ever have been a member of the
communist party. Perhaps in the two aught tens, this becomes were you
or have you ever participated in open-source projects covered by a GNU
license.
There is a fair amount of effort attempting to make it more difficult
for bad actors, once they find a means to escalate user privilege, to
then locate code locations by things like ALSR (Address Space Layout
Randomization). Unfortunately, with only eight bits of entropy, this
technique is easily defeated by simple methods, while also making it
difficult to confirm a system's integrity. From a vendor's perspective,
if a compromise can not be detected, then such compromises can be safely
considered non-existent, and thus to have never happen.
Little is being done to change long standing practices that produce
exploit opportunities, such as avoiding C++ dependent upon high level
libraries inviting programmers to ignore the structural details related
to various class interfaces evolving within COM infrastructure, for
example. Even the approach of depending upon foreign objects to select
handler sources seems unlikely to change. Maybe they are right.
Perhaps it is better to not know what is lurking within a proprietary OS.
I was in China a while back talking with officials about tracking police
vehicles. When I suggested a need to encrypt information being
broadcast by radio, a long outburst with red faces lasted at least 20
minutes. During this, the translator, after whispering that it is
illegal to own a radio, kept writing "Not Important" over and over.
Perhaps if the attitude about open source software's inferiority to
proprietary software prevails, it will become illegal to even own a
disassembler.
-Doug
More information about the dns-operations
mailing list