Gentoo Archives: gentoo-user

From: Matthew Finkel <matthew.finkel@×××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] [OT/rant] Self-replicating programmer stupidity
Date: Fri, 24 Jun 2011 02:55:55
In Reply to: [gentoo-user] [OT/rant] Self-replicating programmer stupidity by walt
1 On 06/23/11 19:54, walt wrote:
2 > I've been reading the monthly security bulletin from for
3 > several years. During that time I've noticed some recurring themes,
4 > including multiple appearances from Adobe products like Flash.
5 >
6 > Another recurring theme is ftp servers (of which there are dozens)
7 > like this month's report:
8 >
9 > Platform: Cross Platform
10 > Title: Wing FTP Server "ssh public key" Authentication Security Bypass
11 > Vulnerability
12 > Description: Wing FTP Server is a secure file server for Windows, Linux,
13 > Mac, FreeBSD and Solaris. Wing FTP Server is exposed to a security bypass
14 > issue that affects the SSH authentication mechanism. Versions prior to
15 > Wing FTP Server 3.8.8 are affected.
16 > Ref:
17 >
18 > Mind you, this is the first time I've seen Wing mentioned, but over the
19 > years there have been dozens of other ftp servers cited for other flaws
20 > in security.
21 >
22 > My question: WTF uses these poorly written ftp servers? Why do they
23 > exist? Who asked for them? Who wrote the code, and why?
24 >
25 > My tentative guess: either evil programmers, or incompetent programmers.
26 > (I suspect the intersection of the two sets is very small.)
27 >
28 > Many years ago when I was still using M$ Windows I wrote my own hex
29 > editor in Visual Basic. I can't explain why I chose to do it, other
30 > than as an exercise to learn Visual Basic. (I haven't used it since.)
31 >
32 > I'm quite certain that my hex editor would flunk even the most basic
33 > security tests today because I wasn't programming with security in mind.
34 > (In other words, I was the rankest of amateurs.)
35 >
36 > I'm running out of indignation now, and going to bed, but I'd welcome
37 > other indignant comments :)
38 Programming secure software is not the easiest task to master. It takes
39 a lot of planning and enough knowledge about the components you're using
40 to know exactly how they all work together, as well as how they are not
41 supposed to be used. In many cases, vulnerabilities originate from lack
42 of knowledge in novice programmers. Other's are just something that was
43 overlooked in the planning stage, which becomes much more possible as
44 the size of the program increases. And, of course, sometimes people make
45 a mistake.
47 As for the ftp(, etc) programs, this is what you get in the FOSS world.
48 I'm not referring to the programs with security hole, but to the
49 abundance of available programs of all shapes and sizes. Many are great,
50 some are not; but you have the option to pick and choose which work best
51 for you. The same is generally true for proprietary software too. No one
52 necessarily asked for them, but it was a choice the dev made to spend
53 the time to write the program. It's possible they purposefully
54 implemented a flawed security model, but I don't *think* that's usually
55 the case (but I could just be very naive).
57 Personally, I don't know why anyone would pay for software anymore, but
58 that's just me :-P


Subject Author
Re: [gentoo-user] [OT/rant] Self-replicating programmer stupidity Bill Longman <bill.longman@×××××.com>