<<< Date Index >>>     <<< Thread Index >>>

RE: Followup: vuln in WinBlox monitor for winnt



        Most new programs aren't doing anything nearly this ambitious or
dangerous. A hole in a newly written program is bad, injecting a hole into
every program running on a system is absolutely horrible.

        Yeah, I agree, Liu Die Yu's vulns have been impressive. And this
approach to securing a system has a lot of potential benefits, but it also
has a lot of potential drawbacks. I didn't poke holes in it to be mean, but
because I think it's a really significant idea, and one that has to be done
right. It's seriously important that people don't go grabbing this thinking
it's a stable program that will cure the ills of Windows until it really
_is_.

        Let's see if this idea can reach fruition. It would be a shame to
blow it for everyone who's interested in the potential of this kind of
approach because of hyped up promises and premature code.

        Liu got what I was saying I think, and he's said he'd release the
code. So let the games begin ;)

Cheers,
~ol

> -----Original Message-----
> From: Drew Copley [mailto:dcopley@xxxxxxxx] 
> Sent: March 31, 2004 1:36 PM
> To: Oliver Lavery; bugtraq@xxxxxxxxxxxxxxxxx
> Cc: LiuDieyuinchina@xxxxxxxxxxxx
> Subject: RE: Followup: vuln in WinBlox monitor for winnt
> 
> 
>  
> 
> > -----Original Message-----
> > From: Oliver Lavery [mailto:oliver.lavery@xxxxxxxxxxxx]
> > Sent: Tuesday, March 30, 2004 1:11 PM
> > To: bugtraq@xxxxxxxxxxxxxxxxx
> > Subject: Followup: vuln in WinBlox monitor for winnt
> 
> <snip>
> > 
> >     That's it. No pissing competition. Liu's onto something
> > very good
> > here, but as anyone who installs MS patches will tell ya, 
> > you've got to see
> > the full implications of a fix before you choose to apply it. 
> > Until this
> > thing gets rewritten properly, and follows even the most 
> > basic principals of
> > secure coding, it'll cause more problems than it fixes, in 
> my opinion.
> > 
> >     I firmly believe that these sorts of tricks have tonnes
> > of potential
> > and are going to become even more common in the future of the 
> > "so called
> > security community" tho' ;)
> 
> <snip>
> 
> Honestly, most [95%+-] "beta" or "alpha" programs do "cause 
> more problems then they fix". 
> 
> Liu Die Yu is relatively new at development, but he is 
> relatively new at finding bugs -- and he has succeeded 
> substantially at that. I do not doubt that he will succeed 
> substantially at this. 
> 
> And, all of this is yet another great reason to immediately 
> put code opensource at an excellent hosting spot like 
> sourceforge... even from the design phase, but especially 
> from the alpha release stage.
> 
> Then you have the ability to have others to help out... and 
> you have such neat, modern resources such as bug databases 
> and submission forms. 
> 
> I do not think Liu Die Yu will take half a year or more to 
> fix his bugs.
> 
> 
> 
> 
> 
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.605 / Virus Database: 385 - Release Date: 01/03/2004
>  
> 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.605 / Virus Database: 385 - Release Date: 01/03/2004