[thelist] News Item: Major Security Flaw in CVS

David Kaufman david at gigawatt.com
Fri Jan 24 16:32:00 CST 2003


Jason Handby <jasonh at pavilion.co.uk> wrote...

>> ... when it comes to overall product security and the speed at
>> which vulnerabilities are repaired, OSS has the commercial world
>> beat by a long shot.
>>
> The famous exception, of course, being the vulnerability in all
> BSD-derived versions of telnetd (the UNIX/Linux telnet daemon) [...]
> I wonder if that points up a weakness with the open-source code review
> process: people only spend time looking at code that's cutting-edge or
> "sexy", and telnetd clearly isn't sexy...

oh... <rant type="onagain">

your conclusion is based on the assumption that the telnetd code's lack of
"sexiness" is the primary reason the bug existed for so long before being
found and fixed.  might i suggest a more likely reason?

as has been pointed out elsewhere in this thread, the very *use* of telnet
has been deprecated for quite some time.  if one has few if any users, one
gets no bug reports, one does no fixes.

this is analogous to microsoft suspending support for a product when they
decide it's obsolete, like they did for Windows 95 and NT 3.5 last month, is
it not?  why waste man-hours supporting and maintaining software that's
obsolete?

telnetd is disabled or not installed at all, by default, in most if not all
*nix variants because the protocol itself is unencrypted and so insecure and
therefore obsolete.  ssh has been the not-just-recommended but absolutely
necessary, replacement for telnet, and has been in wide use as such, for at
least six years now.  the only reason telnetd still ships with any of these
O/S's at all is purely for backward compatibility.  and the only possible
use i can think of for it is within a firewall-protected network where all
the users are trusted, like maybe a home LAN for instance.  and even in that
situation i'd use ssh anyway, because it is actively developed and
supported, whereas telnet is not.

could it be that, rather than it's lack of "sexiness", it's lack of users is
the reason that it has a lack of active developers?  developers and system
administrators who don't use telnet are not likely to be perusing the source
code for possible missed buffer overflow exploits.  they don't use it.  they
know that logging into their remote shell accounts with telnet will shortly
result in script kiddies sniffing their passwords, stealing their accounts
and setting up illegal warez sites and IRC bots overnight.  so even if the
telnetd code was flawless, it was about as secure as shouting your username
and password across the street.  so why would anyone waste time scouring the
code for security weaknesses?  that's like analyzing a brick for leaks that
might prevent it from floating in water.  it ain't gonna float anyway.

also, this is yet another example you've tried to put forth as evidence that
open source is less secure than commercial software, but which was merely a
*potential* security problem, that no one has ever reported actually
*having* being exploited, because it was found by an outside security expert
which was only possible due to the source code having been openly available.
i might add that the expert in question was one of those volunteer
developers that "you can't rely on".

do you think microsoft's file-and-printer-sharing NetBEUI protocol is
secure?  it doesn't matter because as MS will tell you, it's not meant to
be.  it's was designed for use on private LAN's where all users are trusted
and ever since internet access has become necessary on private LAN's,
firewalls have been blocking all NetBEUI traffic to and from the internet.
why?  because it is so full of holes and exploits it was cheaper to firewall
it in than to fix it.  this was around the same time MS adopted the
open-source BSD socket code to create the winsock dll's that (to this day)
provide their users the only secure and reliable method of networking
windows
boxes that Microsoft could muster.

> At Microsoft (for example)
> programmers don't revisit and re-examine code because it's sexy; they
> do it because they're paid to. This might mean it's not done as
> thoroughly or as fast in many cases, but perhaps it guarantees that
> it's actually done at all!

i doubt that even the brilliant managers at microsoft waste their well-paid
developers' time having them review the security of obsolete software that
was never designed to be secure from serious attackers in the first place.

microsoft doesn't fix their security flaws until so many users have been
hacked that the exploits become major media news, so if "getting paid to"
guarantees anything, it guarantees that the developers will do little else
than what their solely-profit-motivated corporation *tells* them to.

i would choose to rely on volunteers who do the work because they actually
care about the quality of the result, over the corporation who replaces
developers like pistons in an engine, any day.

</rant>

-dave







More information about the thelist mailing list