Bugtraq mailing list archives
RE: Followup: vuln in WinBlox monitor for winnt
From: "Oliver Lavery" <oliver.lavery () sympatico ca>
Date: Tue, 30 Mar 2004 22:35:49 -0500
Most new programs aren't doing anything nearly this ambitious or dangerous. A hole in a newly written program is bad, injecting a hole into every program running on a system is absolutely horrible. Yeah, I agree, Liu Die Yu's vulns have been impressive. And this approach to securing a system has a lot of potential benefits, but it also has a lot of potential drawbacks. I didn't poke holes in it to be mean, but because I think it's a really significant idea, and one that has to be done right. It's seriously important that people don't go grabbing this thinking it's a stable program that will cure the ills of Windows until it really _is_. Let's see if this idea can reach fruition. It would be a shame to blow it for everyone who's interested in the potential of this kind of approach because of hyped up promises and premature code. Liu got what I was saying I think, and he's said he'd release the code. So let the games begin ;) Cheers, ~ol
-----Original Message----- From: Drew Copley [mailto:dcopley () eeye com] Sent: March 31, 2004 1:36 PM To: Oliver Lavery; bugtraq () securityfocus com Cc: LiuDieyuinchina () yahoo com cn Subject: RE: Followup: vuln in WinBlox monitor for winnt-----Original Message----- From: Oliver Lavery [mailto:oliver.lavery () sympatico ca] Sent: Tuesday, March 30, 2004 1:11 PM To: bugtraq () securityfocus com Subject: Followup: vuln in WinBlox monitor for winnt<snip>That's it. No pissing competition. Liu's onto something very good here, but as anyone who installs MS patches will tell ya, you've got to see the full implications of a fix before you choose to apply it. Until this thing gets rewritten properly, and follows even the most basic principals of secure coding, it'll cause more problems than it fixes, inmy opinion.I firmly believe that these sorts of tricks have tonnes of potential and are going to become even more common in the future of the "so called security community" tho' ;)<snip> Honestly, most [95%+-] "beta" or "alpha" programs do "cause more problems then they fix". Liu Die Yu is relatively new at development, but he is relatively new at finding bugs -- and he has succeeded substantially at that. I do not doubt that he will succeed substantially at this. And, all of this is yet another great reason to immediately put code opensource at an excellent hosting spot like sourceforge... even from the design phase, but especially from the alpha release stage. Then you have the ability to have others to help out... and you have such neat, modern resources such as bug databases and submission forms. I do not think Liu Die Yu will take half a year or more to fix his bugs. --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.605 / Virus Database: 385 - Release Date: 01/03/2004
--- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.605 / Virus Database: 385 - Release Date: 01/03/2004
Current thread:
- Followup: vuln in WinBlox monitor for winnt Oliver Lavery (Mar 31)
- <Possible follow-ups>
- RE: Followup: vuln in WinBlox monitor for winnt Drew Copley (Mar 31)
- RE: Followup: vuln in WinBlox monitor for winnt Oliver Lavery (Mar 31)