RE: Windows Update: A single point of failure for the world's economy?

From: Schmehl, Paul L (
Date: 09/04/03

  • Next message: Stefano Zanero: "Re: Windows Update: A single point of failure for the world's economy?"
    Date: Thu, 4 Sep 2003 09:59:05 -0500
    To: "Jeremy C. Reed" <>

    > -----Original Message-----
    > From: Jeremy C. Reed []
    > Sent: Wednesday, September 03, 2003 5:12 PM
    > To: Schmehl, Paul L
    > Cc: Stefano Zanero; BugTraq
    > Subject: Re: Windows Update: A single point of failure for
    > the world's economy?
    > cvsup (or cvs) to update to new operating system or
    > ports/pkgsrc sources is different because:
    > - you don't get the final product; the binaries are not built
    > automatically nor installed.
    > - it is used to build from source; and the source code changes can
    > be compared and reviewed by anyone.

    I see this argument made all the time, and it's simply hogwash. The
    number of people actually *qualified* to review the source to ensure
    that it's not trojaned or doesn't have a buffer overflow or some other
    programming problem is some miniscule percentage of the people who
    actually download and compile that same source. It's a baloney
    argument, and I wish people would stop using it.

    Quick, name the people that *you* know personally who are qualified and
    capable of auditing source code. (This is for all the readers.) I know
    one. I certainly am not. And I know some *very* competent admins who
    are not. I know a programmer who is, but he doesn't have the time.

    In the end, we all have to trust that the people distributing software
    are doing "due diligence", because there simply isn't time to audit it
    all nor are we (in general) qualified to audit it. If you want to argue
    that this isn't true, then *please* explain why so many patches are
    constantly being released for the Linux kernel, for popular applications
    like sendmail and apache, for damn near every software application that
    exists today. This list *exists* because those who *write* the code
    don't know how to program securely. How in the *world* do you expect
    the average user, or for that matter the way above average user, to be
    able to know with certainty that there isn't a problem with the source
    that he's compiling? (Yes, I know about MD5 checksums, PGP sigs, etc.
    All that does is confirm that the source you're getting is what the
    developers intended you to get. It does *not* confirm that the code is
    without problems.)

    Paul Schmehl (
    Adjunct Information Security Officer
    The University of Texas at Dallas
    AVIEN Founding Member

  • Next message: Stefano Zanero: "Re: Windows Update: A single point of failure for the world's economy?"

    Relevant Pages

    • Re: Gonzales, Another one bites the dust.
      ... Poor Keith is still feeling left out of it after members left his ... coup on who releases MASM32. ... Is this why you tried to get Paul Brennick's rights to use MASM from ... blip in the programming world. ...
    • RE: [Full-Disclosure] No Subject (re: openssh exploit code?)
      ... > responsible disclosure issues? ... That sounds kind of nazi-like to me mr. Schmehl. ... > commentary from the likes of Paul Schmehl. ... *just* on whether or not a patch has been released. ...
    • Re: Why is it dangerous?
      ... fingerd's special nature is that it used an auto buffer ... count to indexto deal with unterminated strings. ... which Paul proudly allows the programmer to ... Learning a new programming language ...
    • Re: Mouse stopped working in X
      ... Schmehl, Paul L wrote: ... Xorg running KDE. ... For some reason I now have a PS2 mouse being detected (there's no PS2 ... Paul Schmehl ...
    • Re: [Full-Disclosure] List Direction and Future
      ... Schmehl, Paul L said: ... we're just one more rant away from some Big Changes. ... stick to the list charter nothing but chaos will ensue, ...