Gentoo Archives: gentoo-dev

From: Igor <lanthruster@×××××.com>
To: "Paweł Hajdan, Jr." <gentoo-dev@l.g.o>
Subject: Re: [gentoo-dev] minimalistic emerge
Date: Sat, 09 Aug 2014 15:26:06
In Reply to: Re: [gentoo-dev] minimalistic emerge by "Paweł Hajdan
1 Hello Paweł,
3 Saturday, August 9, 2014, 1:34:29 PM, you wrote:
5 > Possibly relevant article would be
6 > <>
8 >>> The number of bugs is the same. It's more difficult to hack into 1996 system
9 >>> than in 2012.
11 > Do you have any evidence to back that claim? There are tons of known
12 > vulnerabilities in '96-era software, and automated exploits for them.
14 > By the way, I can see a point in your thread. Our updates and package
15 > manager could be improved. They have improved greatly in the last few
16 > years. I think I can safely say we welcome further contributions of
17 > patches, packaging and testing effort, especially helping automate many
18 > of these tasks.
20 In my experience - hacking into 96 system with a 0 door is much harder
21 than in 2014. In most cases unless you're an expert on 96 software which
22 is difficult nowadays due to human memory. To really break in you need to
23 reproduce server environment as close as possible or/and have a clear
24 understanding how this particular software works. Try to assemble a
25 96 system on modern hardware or assemble it as they were back in 96,
26 not all sources are online any longer, that is a hard job. 2014 systems
27 are much easier to assemble and get a peek to the sources is a trifle.
29 As Linux software is open-source it's often easier to break in Linux
30 than in Windows systems. The open source is only theoretically safer.
31 Many belive that because the code is open - it's reviewed and checked
32 and the number of critical bugs is low. But the reality is that there
33 is usually no time to review code. Many modern software is very complex
34 with millions lines and it's not realistic to check or
35 understand how it works before you use it in your project. Tell me
36 how many libraries that you use right now are reviewed by you personally?
37 Not many. And that is a door that is NEVER going to be closed. There are
38 bugs, rest assured, if you pull any soft right now and spend time
39 you will find them. If you have an expertise on cross platforms - you
40 will find even more as developers used to focus on one platform the birth
41 platform.
43 If you compare the number of bugs you find in 1996 software and in 2014
44 - the numbers would approximately be the same.
46 Usually 1996 system is patched or protected against known issues and you
47 have to deal with "unknown" which in case of 1996 is much harder.
49 Another weak link with open source is software developers. Many of them
50 spend a lot of time on their software not always getting a fair monetary
51 reward. So if you a very shrewd and have resources - you go to developers
52 and offer them money to introduce a subtle bug into the main tree. After
53 the software is adopted then you have open doors in EVERY "updated"
54 linux on the planet.
56 Personally I belive Heart Bleed bug is one of such. You can never proof
57 if the bug is artificial or not - how?
59 The same true for Microsoft soft. You can basically go to a ntkernel
60 developer offer him 500 000$ if have them and he would add a bug and
61 explain you how to use it and you're everywhere :-) but this is usually
62 the government's methods. They used to keep them secret.
64 --
65 Best regards,
66 Igor mailto:lanthruster@×××××.com


Subject Author
[OT] Re: [gentoo-dev] minimalistic emerge Tom Wijsman <TomWij@g.o>