On 11/1/15 12:51 PM, S Moonesamy wrote:
> Hi Logan,
> At 02:23 01-11-2015, Loganaden Velvindron wrote:
>> It's not only LUGM. There are *many* companies in Mauritius relying on
>> Open Source Software. How many are actually carrying out security
>> audits, and discovering those flaws ? The numbers speak for themselves.
>
> I suggest taking up this topic in a group interested in Open Source
> advocacy.
It's not an Open Source problem. It's how local enterprise and their
engineers approach/interact with Open Source vendors. It's the same
problem you encounter with proprietary software.
If you ask any Local company for a policy on how to interact with their
Open Source vendor support for reporting issues, most don't have one,
despite relying on Open Source heavily. However, quite a few have
contracts with companies like RedHat.
>
>> Auditing for security flaw, involves having good knowledge of software
>> development, *and* being able to critically analyze code to find a way
>> to subvert it. A security expert who cannot understand how unbounded
>> string copies leads to buffer overflows is NOT a security expert. Why
>> would a security company hire a security engineer who does not
>> understand those ?
>
> Has there been a buffer overflow in any software you have written?
There hasn't been any CVE assigned to me :) I am trying very hard to
avoid that :) Peer-review of code by senior developers helps.
>
>> Discovering a compromised website is one thing. However, going through
>> the web application code, and discovering the vulnerable code which
>> allows that to happen is what a real security expert would do. Now, how
>> to prevent that from happening, by rewriting the code is next step. How
>> many people can do that in Mauritius ? I would be happy to one day see
>> someone post such an analysis on his blog.
>
> There is a report at
> https://lists.afrinic.net/pipermail/announce/2014/001230.html Is an
> analysis available? :-)
>
I believe that I cannot answer that question.
> It is not to the advantage of the person writing the blog article to
> share all that information for free when someone else will take all
> the credit. There is also the "avoiding talking about problems that
> impact them".
>
This culture problem needs to be fixed.
>> And what about practical applications of those concepts ? Implement the
>> OpenSSL API, in a simple client/server model ?
>
> In March, you commented [1] that "Unlike, OpenSSL we do not support
> weak ciphers".
OpenSSL supports weak ciphers, mostly to keep backward compatibility
with a lot of legacy deployment. You don't want your old application to
stop working when doing an OpenSSL update.
Admittedly, at the time, I didn't understand the SSL ecosystem very
well. Now, I understand how application writers interact with OpenSSL,
and how often they update their code. Different SSL implementations have
different goals in mind. I work on 3 different ones, because I'm curious
by nature :)
>
>> And how many can explain the technical details behind Heartbleed :p ?
>
> How many servers in Mauritius were affected by Heartbleed?
>
Hard to tell, but I believe quite a few. No security firm has done any
analysis.
> Regards,
> S. Moonesamy
>
> 1.
> http://lists.elandnews.com/archive/mauritius/internet-users/2015/03/0096.html
>
>
Received on Sun Nov 01 2015 - 10:34:15 PST