Re: [Full-Disclosure] Web sites compromised by IIS attack

From: Akos Szalkai (szalkai_at_2fkft.com)
Date: 07/05/04

  • Next message: Will Image: "Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability" 
    To: FULL-DISCLOSURE@lists.netsys.com
Date: Mon, 5 Jul 2004 16:43:31 +0200

    On Thu, Jul 01, 2004 at 06:09:05AM -0400, Valdis.Kletnieks@vt.edu created magic using only numbers:
    > On Wed, 30 Jun 2004 21:08:27 CDT, Paul Schmehl <pauls@utdallas.edu> said:
    >
    > > I attended a presentation yesterday for a security product in the
    > > application firewall field. During the presentation, the CISSP stated that
    > > "in every 1000 lines of code there will be 15 errors".
    >
    > Actually, I suspect most coders are *worse* than that.

    You may be right, but your calculations are an order of magnitude off. :)

    > Sendmail 8.13.0 weighs in at just about 90K lines of C code for
    > the main program. By that metric, there should only have been 135
    > bugs in it. In fact, there are 441 occurrences of 'Problem noted by'
    > in the release notes.

    Maybe you were not really awake yet (look at the Date header!), but if
    its 15 errors/KLOC, then 90K lines of code should have 90*15=1350 bugs,
    not 9*15=135.

    You made the same mistake with BIND. I do not like those two pieces of
    software, but this time you showed that the Sendmail/BIND people are
    better than the average programmer.

    Akos 

    -- 
Akos Szalkai <szalkai@2f.hu>
Principal IT Consultant, CISA
2F 2000 Szamitastechnikai es Szolgaltato Kft.
Tel: (+36-1)-4887700  Fax: (+36-1)-4887709  WWW: http://www.2f.hu/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
  • Next message: Will Image: "Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability"