On 11/11/2015 09:12 AM, Christopher Myers wrote:
Personally, I'm thankful that Roger passed along the information about the trojan. It seems like folks are berating him a bit for something he's already acknowledged (that the system was outdated and needed upgraded.) Rather than doing that, I think it'd be better if we merely acknowledge that, and were appreciative for him passing along the information, so that we can be aware of the thing. Plus, that way in the future hopefully others wouldn't be afraid to share something they'd learned/found simply because of how others on the list might react.
You mean that I might be afraid to mention, as I have in the past, such matters as the CVE database, the Risks Digest, the NIST top 20 vulnerabilities listing, various other sources of threats and risks information? Its not as if the ssh/password vulnerability is new. Roger's problem dates back to 2012 - CVE-2012-5975 http://www.securityweek.com/ssh-patches-serious-vulnerability-its-enterprise... http://catless.ncl.ac.uk/Risks/ And yes, there have been more :- https://www.cvedetails.com/vulnerability-list/vendor_id-120/SSH.html https://www.cvedetails.com/vulnerability-list/vendor_id-120/product_id-202/S... On 11/11/2015 09:20 AM, Roger Oberholtzer wrote:
As a software developer, I am very much aware of what the 'update to the latest version' statement means ... More often than not they were introduced in a recent previous update. Of course, software should move towards being better and better.
A long, long time ago, Fredrick P Brooks wrote in a book called "The Mythical Man Month" that each release of the OS/360 had about 200 bugs in it. As software grows we can expect that new generations of programmers, less experienced, will repeat the error of their ancestors. That's certainly been my observation and I think its backed up by the SANS top 20 list of vulnerabilities: Buffer overflow and SQL injection have been to top 2 programming errors for a long time now. You'd think the schools that teach programming would drill such basics into the heads to the students: "DON'T DO THIS", but no..... And so we get cascades of the same kind of errors, thing like mishandling of pointers in C, year after year. In many ways it's inherent in the economics of programming. To keep costs down new, inexperienced and therefore cheap programmers are brought in and older, experienced one go off to do other things. Few firms can afford the intense testing that NASA has for the deep space missions. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org