RE: Followup: vuln in WinBlox monitor for winnt
Most new programs aren't doing anything nearly this ambitious or
dangerous. A hole in a newly written program is bad, injecting a hole into
every program running on a system is absolutely horrible.
Yeah, I agree, Liu Die Yu's vulns have been impressive. And this
approach to securing a system has a lot of potential benefits, but it also
has a lot of potential drawbacks. I didn't poke holes in it to be mean, but
because I think it's a really significant idea, and one that has to be done
right. It's seriously important that people don't go grabbing this thinking
it's a stable program that will cure the ills of Windows until it really
_is_.
Let's see if this idea can reach fruition. It would be a shame to
blow it for everyone who's interested in the potential of this kind of
approach because of hyped up promises and premature code.
Liu got what I was saying I think, and he's said he'd release the
code. So let the games begin ;)
Cheers,
~ol
> -----Original Message-----
> From: Drew Copley [mailto:dcopley@xxxxxxxx]
> Sent: March 31, 2004 1:36 PM
> To: Oliver Lavery; bugtraq@xxxxxxxxxxxxxxxxx
> Cc: LiuDieyuinchina@xxxxxxxxxxxx
> Subject: RE: Followup: vuln in WinBlox monitor for winnt
>
>
>
>
> > -----Original Message-----
> > From: Oliver Lavery [mailto:oliver.lavery@xxxxxxxxxxxx]
> > Sent: Tuesday, March 30, 2004 1:11 PM
> > To: bugtraq@xxxxxxxxxxxxxxxxx
> > Subject: Followup: vuln in WinBlox monitor for winnt
>
> <snip>
> >
> > That's it. No pissing competition. Liu's onto something
> > very good
> > here, but as anyone who installs MS patches will tell ya,
> > you've got to see
> > the full implications of a fix before you choose to apply it.
> > Until this
> > thing gets rewritten properly, and follows even the most
> > basic principals of
> > secure coding, it'll cause more problems than it fixes, in
> my opinion.
> >
> > I firmly believe that these sorts of tricks have tonnes
> > of potential
> > and are going to become even more common in the future of the
> > "so called
> > security community" tho' ;)
>
> <snip>
>
> Honestly, most [95%+-] "beta" or "alpha" programs do "cause
> more problems then they fix".
>
> Liu Die Yu is relatively new at development, but he is
> relatively new at finding bugs -- and he has succeeded
> substantially at that. I do not doubt that he will succeed
> substantially at this.
>
> And, all of this is yet another great reason to immediately
> put code opensource at an excellent hosting spot like
> sourceforge... even from the design phase, but especially
> from the alpha release stage.
>
> Then you have the ability to have others to help out... and
> you have such neat, modern resources such as bug databases
> and submission forms.
>
> I do not think Liu Die Yu will take half a year or more to
> fix his bugs.
>
>
>
>
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.605 / Virus Database: 385 - Release Date: 01/03/2004
>
>
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.605 / Virus Database: 385 - Release Date: 01/03/2004