| 1 |
On 06/23/11 19:54, walt wrote: |
| 2 |
> I've been reading the monthly security bulletin from sans.org for |
| 3 |
> several years. During that time I've noticed some recurring themes, |
| 4 |
> including multiple appearances from Adobe products like Flash. |
| 5 |
> |
| 6 |
> Another recurring theme is ftp servers (of which there are dozens) |
| 7 |
> like this month's report: |
| 8 |
> |
| 9 |
> Platform: Cross Platform |
| 10 |
> Title: Wing FTP Server "ssh public key" Authentication Security Bypass |
| 11 |
> Vulnerability |
| 12 |
> Description: Wing FTP Server is a secure file server for Windows, Linux, |
| 13 |
> Mac, FreeBSD and Solaris. Wing FTP Server is exposed to a security bypass |
| 14 |
> issue that affects the SSH authentication mechanism. Versions prior to |
| 15 |
> Wing FTP Server 3.8.8 are affected. |
| 16 |
> Ref: http://www.securityfocus.com/bid/48335/info |
| 17 |
> |
| 18 |
> Mind you, this is the first time I've seen Wing mentioned, but over the |
| 19 |
> years there have been dozens of other ftp servers cited for other flaws |
| 20 |
> in security. |
| 21 |
> |
| 22 |
> My question: WTF uses these poorly written ftp servers? Why do they |
| 23 |
> exist? Who asked for them? Who wrote the code, and why? |
| 24 |
> |
| 25 |
> My tentative guess: either evil programmers, or incompetent programmers. |
| 26 |
> (I suspect the intersection of the two sets is very small.) |
| 27 |
> |
| 28 |
> Many years ago when I was still using M$ Windows I wrote my own hex |
| 29 |
> editor in Visual Basic. I can't explain why I chose to do it, other |
| 30 |
> than as an exercise to learn Visual Basic. (I haven't used it since.) |
| 31 |
> |
| 32 |
> I'm quite certain that my hex editor would flunk even the most basic |
| 33 |
> security tests today because I wasn't programming with security in mind. |
| 34 |
> (In other words, I was the rankest of amateurs.) |
| 35 |
> |
| 36 |
> I'm running out of indignation now, and going to bed, but I'd welcome |
| 37 |
> other indignant comments :) |
| 38 |
Programming secure software is not the easiest task to master. It takes |
| 39 |
a lot of planning and enough knowledge about the components you're using |
| 40 |
to know exactly how they all work together, as well as how they are not |
| 41 |
supposed to be used. In many cases, vulnerabilities originate from lack |
| 42 |
of knowledge in novice programmers. Other's are just something that was |
| 43 |
overlooked in the planning stage, which becomes much more possible as |
| 44 |
the size of the program increases. And, of course, sometimes people make |
| 45 |
a mistake. |
| 46 |
|
| 47 |
As for the ftp(, etc) programs, this is what you get in the FOSS world. |
| 48 |
I'm not referring to the programs with security hole, but to the |
| 49 |
abundance of available programs of all shapes and sizes. Many are great, |
| 50 |
some are not; but you have the option to pick and choose which work best |
| 51 |
for you. The same is generally true for proprietary software too. No one |
| 52 |
necessarily asked for them, but it was a choice the dev made to spend |
| 53 |
the time to write the program. It's possible they purposefully |
| 54 |
implemented a flawed security model, but I don't *think* that's usually |
| 55 |
the case (but I could just be very naive). |
| 56 |
|
| 57 |
Personally, I don't know why anyone would pay for software anymore, but |
| 58 |
that's just me :-P |
Archives