1 |
On Sat, 9 Aug 2014 19:25:56 +0400 |
2 |
Igor <lanthruster@×××××.com> wrote: |
3 |
|
4 |
> In my experience - hacking into 96 system with a 0 door is much |
5 |
> harder than in 2014. In most cases unless you're an expert on 96 |
6 |
> software which is difficult nowadays due to human memory. |
7 |
|
8 |
Why does one need to be an expert? |
9 |
|
10 |
How about known and/or implemented exploits? |
11 |
|
12 |
> To really break in you need to reproduce server environment as close |
13 |
> as possible or/and have a clear understanding how this particular |
14 |
> software works. Try to assemble a 96 system on modern hardware or |
15 |
> assemble it as they were back in 96, not all sources are online any |
16 |
> longer, that is a hard job. 2014 systems are much easier to assemble |
17 |
> and get a peek to the sources is a trifle. |
18 |
|
19 |
Why reproduce the environment? |
20 |
|
21 |
Is the sources' availability the only factor? |
22 |
|
23 |
> As Linux software is open-source it's often easier to break in Linux |
24 |
> than in Windows systems. The open source is only theoretically safer. |
25 |
> Many belive that because the code is open - it's reviewed and checked |
26 |
> and the number of critical bugs is low. But the reality is that there |
27 |
> is usually no time to review code. Many modern software is very |
28 |
> complex with millions lines and it's not realistic to check or |
29 |
> understand how it works before you use it in your project. Tell me |
30 |
> how many libraries that you use right now are reviewed by you |
31 |
> personally? Not many. And that is a door that is NEVER going to be |
32 |
> closed. There are bugs, rest assured, if you pull any soft right now |
33 |
> and spend time you will find them. If you have an expertise on cross |
34 |
> platforms - you will find even more as developers used to focus on |
35 |
> one platform the birth platform. |
36 |
|
37 |
Can you back up that open source is theoretically safer / harder / ...? |
38 |
|
39 |
It depends on how you look at the source code and binaries; having |
40 |
either doesn't necessarily make it easier or harder to accomplish, |
41 |
especially if you want to find run-time behavior to exploit. |
42 |
|
43 |
You could scan through the source code looking for known errors or so; |
44 |
however, the same is possible to do with the machine code. Both can be |
45 |
done manually or automatically; whether it gets tedious to find, depends |
46 |
on what it is exactly that you are trying to find and how you find it. |
47 |
|
48 |
> If you compare the number of bugs you find in 1996 software and in |
49 |
> 2014 |
50 |
> - the numbers would approximately be the same. |
51 |
|
52 |
That reads like a wild guess due to too much assumptions / conditionals. |
53 |
|
54 |
> Usually 1996 system is patched or protected against known issues and |
55 |
> you have to deal with "unknown" which in case of 1996 is much harder. |
56 |
|
57 |
This also reads like a wild guess; words ending in -ly like "usually" |
58 |
indicate that you're not sure about it and how much of it really is as |
59 |
such, a more believable statement would read like "...% of the systems |
60 |
in 1996 are ... [reference to research]". |
61 |
|
62 |
> Another weak link with open source is software developers. Many of |
63 |
> them spend a lot of time on their software not always getting a fair |
64 |
> monetary reward. So if you a very shrewd and have resources - you go |
65 |
> to developers and offer them money to introduce a subtle bug into the |
66 |
> main tree. After the software is adopted then you have open doors in |
67 |
> EVERY "updated" linux on the planet. |
68 |
> |
69 |
> Personally I belive Heart Bleed bug is one of such. You can never |
70 |
> proof if the bug is artificial or not - how? |
71 |
> |
72 |
> The same true for Microsoft soft. You can basically go to a ntkernel |
73 |
> developer offer him 500 000$ if have them and he would add a bug and |
74 |
> explain you how to use it and you're everywhere :-) but this is |
75 |
> usually the government's methods. They used to keep them secret. |
76 |
|
77 |
Have you considered steady high incomes and the aftermath? |
78 |
|
79 |
With a steady high income and a high level job as Microsoft kernel |
80 |
developer, 500 000$ and the aftermath of consequences loses traction. |
81 |
|
82 |
You might be able to convince that single kernel developer; however, |
83 |
that developer still has to slip this by the rest of the kernel |
84 |
development team as well as quality assurance processes and measures. |
85 |
|
86 |
Getting by the static and dynamic analyzers as well as other run-time |
87 |
measures they have to their availability for awareness is harder than |
88 |
without it; apart from it, there's are also human code reviews and QA. |
89 |
|
90 |
The story gets somewhat different when people don't end up using them, |
91 |
or not spend an equivalent effort; like for example with Heart Bleed. |
92 |
|
93 |
Think about some random unrelated pieces of open source libraries; did |
94 |
that get run through analyzers and include run-time measures, have code |
95 |
reviews like kernels would have and extended QA procedures? |
96 |
|
97 |
https://i.imgflip.com/b3mx0.jpg |
98 |
|
99 |
-- |
100 |
With kind regards, |
101 |
|
102 |
Tom Wijsman (TomWij) |
103 |
Gentoo Developer |
104 |
|
105 |
E-mail address : TomWij@g.o |
106 |
GPG Public Key : 6D34E57D |
107 |
GPG Fingerprint : C165 AF18 AB4C 400B C3D2 ABF0 95B2 1FCD 6D34 E57D |