RE: Followup: vuln in WinBlox monitor for winnt

["Oliver Lavery" <oliver.lavery () sympatico ca>]

        Most new programs aren't doing anything nearly this ambitious or
dangerous. A hole in a newly written program is bad, injecting a hole into
every program running on a system is absolutely horrible.

        Yeah, I agree, Liu Die Yu's vulns have been impressive. And this
approach to securing a system has a lot of potential benefits, but it also
has a lot of potential drawbacks. I didn't poke holes in it to be mean, but
because I think it's a really significant idea, and one that has to be done
right. It's seriously important that people don't go grabbing this thinking
it's a stable program that will cure the ills of Windows until it really
_is_.

        Let's see if this idea can reach fruition. It would be a shame to
blow it for everyone who's interested in the potential of this kind of
approach because of hyped up promises and premature code.

        Liu got what I was saying I think, and he's said he'd release the
code. So let the games begin ;)

Cheers,
~ol

> -----Original Message-----
> From: Drew Copley [mailto:dcopley () eeye com] 
> Sent: March 31, 2004 1:36 PM
> To: Oliver Lavery; bugtraq () securityfocus com
> Cc: LiuDieyuinchina () yahoo com cn
> Subject: RE: Followup: vuln in WinBlox monitor for winnt
>
>
>  
>
> > -----Original Message-----
> > From: Oliver Lavery [mailto:oliver.lavery () sympatico ca]
> > Sent: Tuesday, March 30, 2004 1:11 PM
> > To: bugtraq () securityfocus com
> > Subject: Followup: vuln in WinBlox monitor for winnt
>
> <snip>
> >     That's it. No pissing competition. Liu's onto something
> > very good
> > here, but as anyone who installs MS patches will tell ya, 
> > you've got to see
> > the full implications of a fix before you choose to apply it. 
> > Until this
> > thing gets rewritten properly, and follows even the most 
> > basic principals of
> > secure coding, it'll cause more problems than it fixes, in 
> my opinion.
> >     I firmly believe that these sorts of tricks have tonnes
> > of potential
> > and are going to become even more common in the future of the 
> > "so called
> > security community" tho' ;)
>
> <snip>
>
> Honestly, most [95%+-] "beta" or "alpha" programs do "cause 
> more problems then they fix". 
>
> Liu Die Yu is relatively new at development, but he is 
> relatively new at finding bugs -- and he has succeeded 
> substantially at that. I do not doubt that he will succeed 
> substantially at this. 
>
> And, all of this is yet another great reason to immediately 
> put code opensource at an excellent hosting spot like 
> sourceforge... even from the design phase, but especially 
> from the alpha release stage.
>
> Then you have the ability to have others to help out... and 
> you have such neat, modern resources such as bug databases 
> and submission forms. 
>
> I do not think Liu Die Yu will take half a year or more to 
> fix his bugs.
>
>
>
>
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.605 / Virus Database: 385 - Release Date: 01/03/2004
>  

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.605 / Virus Database: 385 - Release Date: 01/03/2004