Re: [fw-wiz] FWTK and smap/smapd

From: Darren Reed (darrenr@reed.wattle.id.au)
Date: 07/19/02

• Next message: firewalls@msg.net: "Network "tap" (was Re: [fw-wiz] Rationale of the great DMZ)"
• Previous message: Dominik Miklaszewski: "Re: [fw-wiz] Firewalls breaking stuff: [Was re: fwtk]"
• In reply to: Marcus J. Ranum: "Re: [fw-wiz] FWTK and smap/smapd"
• Next in thread: Charles W. Swiger: "Re: [fw-wiz] FWTK and smap/smapd"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Darren Reed <darrenr@reed.wattle.id.au>
To: mjr@ranum.com (Marcus J. Ranum)
Date: Fri Jul 19 01:09:00 2002

In some email I received from Marcus J. Ranum, sie wrote:
[...]
> I don't think audit works: there are more bad programmers than good
> programmers. So to audit all the code we'd have to stand down all
> the good programmers - who are the guys who get all the useful coding
> done anyhow. The entire software industry would collapse. Legend is
> this may already have happened.

While some may think the point I'm about to make is an example of how
audit works, I think it shows quite clearly that it is "not enough".

Earlier in the year, a bug showed up in mail(1) on OpenBSD. This
particular bug was OpenBSD specific. Why? Because someone changed
some code and reenabled this particular "feature". That this change
made it into a general release shows that while they may audit reams
of code, they don't audit their own changes very well (hence all of
the OpenSSH bugs from "new features") before 'approving' them for
general consumption by the public. When I dared to crossexamine them
on this, nobody seemed particularly concerned and nothing was going
to change in their software development methodology/life cycle.

Audit fixes a bug once, it does nothing to make sure it stays fixed
and it is an awfully big waste of time to have to reaudit stuff all
the time.

Darren

p.s. The0 will hate you for not liking his "audit works" drugs :)
p.p.s. Given the above I'd be inclined to take the Open*** crew of
programmers out of the "good" pool, making it somewhat smaller.

• Next message: firewalls@msg.net: "Network "tap" (was Re: [fw-wiz] Rationale of the great DMZ)"
• Previous message: Dominik Miklaszewski: "Re: [fw-wiz] Firewalls breaking stuff: [Was re: fwtk]"
• In reply to: Marcus J. Ranum: "Re: [fw-wiz] FWTK and smap/smapd"
• Next in thread: Charles W. Swiger: "Re: [fw-wiz] FWTK and smap/smapd"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: How Online Poker Sites Are Rigged to Maximize Profits ... programmers to modify the software to help new players. ... not know it was happening. I suppose it might be possible to analyze trillions ... any outside audit. ... so that audits of hand histories ... (rec.gambling.poker) Re: [fw-wiz] FWTK and smap/smapd ... You mean like the code audit NSA had done of the fwtk back in ?? ... is why there was a small contingent of blind-dead-drunk software engineers ... there are more bad programmers than good programmers. ... (Firewall-Wizards) Re: [Full-disclosure] Filemaker Pro 7 - any known exploits/hacksavailable? ... >Pay me for an audit (I will find a bug and give you ammo to say NO), ... (Full-Disclosure)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint