First, I hope that this message is not considered flame bait. As someone who has used FreeBSD for for 5+ years now, I have a genuine interest in the integrity of our source code. Second, I hope that this message is not taken as any form of insult or finger pointing. Software without bugs does not exist, and I think we all know that. Acknowledging that point and working to mitigate the risks associated with it would seem to be our only real option. That said, every time something like the recent realpath(3) issue comes to light, I find myself asking why I haven't at least tried to do more to review our source code or (more desirable) enable 3rd-party audits. My question is... If enabling a 3rd-party audit for some target release (5.3+ I'd assume) is desirable, what would be needed money-, time- and other-wise? I'm willing to invest both time and money to make this happen. I'd expect such an endeavor to be tedious and expensive... and, of course, it would really need to be repeated occasionally to be of real value. (Probably, at least, after major version number changes.) However, perhaps doing an audit of the base system now would help our image in the security community? All I know is, despite occasional arguments and rants, I like FreeBSD. As long as it exists, I plan to have it installed... So it is in my best interest to help in any way I can. I know projects like secure/trustedBSD exist, but I am really looking for ways to promote the trust of the base system more than specialized projects/branches. Thoughts? -mrh -- From: "Spam Catcher" <spam-catcher@adept.org> To: spam-catcher@adept.org Do NOT send email to the address listed above or you will be added to a blacklist!
I don't have jewels flowing out of my pockets, so to speak, but I'd be interested in contributing time/money in this sort of endeavor as well. I'm tired of people not taking the stability and security very seriously. Kind regards, Devon H. O'Dell Systems and Network Engineer Simpli, Inc. Web Hosting http://www.simpli.biz> -----Oorspronkelijk bericht----- > Van: owner-freebsd-security@freebsd.org [mailto:owner-freebsd- > security@freebsd.org] Namens Mike Hoskins > Verzonden: Monday, August 11, 2003 11:08 PM > Aan: security@freebsd.org > Onderwerp: realpath(3) et al > > > First, I hope that this message is not considered flame bait. As someone > who has used FreeBSD for for 5+ years now, I have a genuine interest in > the integrity of our source code. > > Second, I hope that this message is not taken as any form of insult or > finger pointing. Software without bugs does not exist, and I think we all > know that. Acknowledging that point and working to mitigate the risks > associated with it would seem to be our only real option. > > That said, every time something like the recent realpath(3) issue comes > to light, I find myself asking why I haven't at least tried to do more to > review our source code or (more desirable) enable 3rd-party audits. > > My question is... If enabling a 3rd-party audit for some target release > (5.3+ I'd assume) is desirable, what would be needed money-, time- and > other-wise? I'm willing to invest both time and money to make this > happen. I'd expect such an endeavor to be tedious and expensive... and, > of course, it would really need to be repeated occasionally to be of real > value. (Probably, at least, after major version number changes.) > However, perhaps doing an audit of the base system now would help our > image in the security community? > > All I know is, despite occasional arguments and rants, I like FreeBSD. > As long as it exists, I plan to have it installed... So it is in my best > interest to help in any way I can. I know projects like secure/trustedBSD > exist, but I am really looking for ways to promote the trust of the base > system more than specialized projects/branches. > > Thoughts? > > -mrh > > -- > From: "Spam Catcher" <spam-catcher@adept.org> > To: spam-catcher@adept.org > Do NOT send email to the address listed above or > you will be added to a blacklist! > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security- > unsubscribe@freebsd.org"
On Mon, Aug 11, 2003 at 02:08:27PM -0700, Mike Hoskins wrote:> My question is... If enabling a 3rd-party audit for some target release > (5.3+ I'd assume) is desirable, what would be needed money-, time- and > other-wise? I'm willing to invest both time and money to make this > happen. I'd expect such an endeavor to be tedious and expensive... and, > of course, it would really need to be repeated occasionally to be of real > value. (Probably, at least, after major version number changes.) > However, perhaps doing an audit of the base system now would help our > image in the security community?Help with auditing is always welcomed. See the freebsd-audit mailing list. Kris -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20030811/4e5bd45f/attachment.bin
On Mon, Aug 11, 2003 at 02:08:27PM -0700, Mike Hoskins wrote:> First, I hope that this message is not considered flame bait. As someone > who has used FreeBSD for for 5+ years now, I have a genuine interest in > the integrity of our source code. > > Second, I hope that this message is not taken as any form of insult or > finger pointing.No worries.> Software without bugs does not exist, and I think we all > know that. Acknowledging that point and working to mitigate the risks > associated with it would seem to be our only real option.Yes, we are all agreed here.> That said, every time something like the recent realpath(3) issue comes > to light, I find myself asking why I haven't at least tried to do more to > review our source code or (more desirable) enable 3rd-party audits.More people should ask themselves that :-) One can talk about auditing code, or one can do it. Even in projects where careful auditing has been the primary focus, things get missed. For example, OpenBSD missed this exact same bug and corrected it about the same time as everyone else.> My question is... If enabling a 3rd-party audit for some target release > (5.3+ I'd assume) is desirable, what would be needed money-, time- and > other-wise?People need to read code, that's all. You can share your code reading insights at freebsd-audit@freebsd.org, or if you believe it is sensitive, with security-team@freebsd.org. We _do_ already audit code, you know. FreeBSD-SA-03:09.signal was a result of my auditing, FreeBSD-SA-03:10.ibcs2 was a result of David's auditing. Also, many commits that are just `cleanup' are the result of a kind of `auditing'. What we perhaps lack is coordination. This is not easy in a volunteer environment, but perhaps something as simple as a `scoreboard' with `these files being audited/have been audited by whatsmyname' would be an improvement. On the other hand, in my experience, people are quick to volunteer and slow to follow up --- usually disappearing. :-( Of course, those that do follow up often become committers themselves :-)> I'm willing to invest both time and money to make this > happen. I'd expect such an endeavor to be tedious and expensive... and, > of course, it would really need to be repeated occasionally to be of real > value. (Probably, at least, after major version number changes.) > However, perhaps doing an audit of the base system now would help our > image in the security community?*shrug* I didn't know we had an image problem in the security community. Probably the single most effective way to get an audit done is to read the code :-) Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se
Organizing a review of the FreeBSD code base will be a tedious, yet highly valuable endeavor. I have little spare time or money, but I would be willing to contribute what I can for such a worthy cause. I suspect that there are many others who feel this way, and therefore it may be feasible for the 3rd party conducting the review to be made up almost entirely of volunteers. I guess the big issue is how to get the process started. Need person(s) to organize reviews: It seems like a first step should be to find someone who can organize audits/reviews of the code base, and organize groups of reviewers. Bodies of code could then be assigned to individual volunteers or groups for review within some time frame. Results would be collected and organized and code fixes made and applied. No matter how the project is managed, I think the first action must be to identify some volunteers to run the code review project. Just an Idea: Perhaps such reviews could take the form of bug-hunting contests, where those who discover software defects or vulnerabilities are awarded some form of recognition (i.e., named on FreeBSD website), and/or some prize or trophy. This could actually be a really fun activity if presented in the right way. Conducting reviews in this manner may help attract more interest and reduce or eliminate any need to hire a professional organization to perform reviews. Of course there would have to be some rules like, people cannot review code they had any part in authoring. Any way to get organized reviews done will be a great benefit to the FreeBSD code base. I just want to see it happen and to help where I can. --ajg On Monday 11 August 2003 14:08, Mike Hoskins wrote:> First, I hope that this message is not considered flame bait. > As someone who has used FreeBSD for for 5+ years now, I have a > genuine interest in the integrity of our source code. > > Second, I hope that this message is not taken as any form of > insult or finger pointing. Software without bugs does not > exist, and I think we all know that. Acknowledging that point > and working to mitigate the risks associated with it would > seem to be our only real option. > > That said, every time something like the recent realpath(3) > issue comes to light, I find myself asking why I haven't at > least tried to do more to review our source code or (more > desirable) enable 3rd-party audits. > > My question is... If enabling a 3rd-party audit for some > target release (5.3+ I'd assume) is desirable, what would be > needed money-, time- and other-wise? I'm willing to invest > both time and money to make this happen. I'd expect such an > endeavor to be tedious and expensive... and, of course, it > would really need to be repeated occasionally to be of real > value. (Probably, at least, after major version number > changes.) However, perhaps doing an audit of the base system > now would help our image in the security community? > > All I know is, despite occasional arguments and rants, I like > FreeBSD. As long as it exists, I plan to have it installed... > So it is in my best interest to help in any way I can. I know > projects like secure/trustedBSD exist, but I am really looking > for ways to promote the trust of the base system more than > specialized projects/branches. > > Thoughts? > > -mrh > > -- > From: "Spam Catcher" <spam-catcher@adept.org> > To: spam-catcher@adept.org > Do NOT send email to the address listed above or > you will be added to a blacklist! > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org"
Sometimes I wonder why im on this list.... I was just throwing something out there, before my first cup and about fifteen minutes after awaking. I did in fact clarify this in one more additional message, after I received this kind of garble in my inbox. People like this are a waste of bandwidth.... I'm sure ill be banned after someone reads this with some sort of authority, so for the people that actually have some sort of sense it has been very educational/fun. Chris Odell chris@redstarnetworks.net p/f: 702.646.2830 t/f: 800.646.2830 -----Original Message----- From: Scott Lambert [mailto:lambert@lambertfam.org] Sent: Tuesday, August 12, 2003 6:11 PM To: Chris Odell Subject: Re: realpath(3) et al How many companies have 1000 FreeBSD machines? I'm going to guess it's less than 150, but I'd be happy to be wrong. I guess there *might* be 1000 companies which have 150 FreeBSD machines. Probably tens of thousands of companies with 15 FreeBSD machines. Good luck getting 1000 of them to donate $20. On Tue, Aug 12, 2003 at 08:15:41AM -0700, Chris Odell wrote:> > Corporations - INTERNET Companies... > > If you look at the big picture, having a O.S. that has been audited > for issues would actually be cost effective for them. Having to patch > a machine that is in service causes downtime. > > Lets see - > > Each machine takes ten (10) minutes of human work to drop intosingle> user mode and install new binaries/kernels > > The company has one thousand (1000) machines > > That comes to ten thousand (10000) minutes, broken down to hours - > 167 Hours > > The average admin say is making forty five (45) dollars a hour - > over $7000.00 - not including taxes paid by employer. > > So if one hundred fifty companies donated one thousand dollars > (1000) it would save them downtime, payroll, and taxes. > > Just a rough estimate and my 2 cents > > > Chris Odell > chris@redstarnetworks.net > > > -----Original Message----- > From: owner-freebsd-security@freebsd.org > [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Devon H. > O'Dell > Sent: Tuesday, August 12, 2003 7:42 AM > To: 'Brooks Davis' > Cc: security@freebsd.org > Subject: RE: realpath(3) et al > > > Okay, so where do we begin with taking contributions? > > Devon > > > -----Oorspronkelijk bericht----- > > Van: owner-freebsd-security@freebsd.org [mailto:owner-freebsd- > > security@freebsd.org] Namens Brooks Davis > > Verzonden: Tuesday, August 12, 2003 4:38 PM > > Aan: Devon H. O'Dell > > CC: security@freebsd.org > > Onderwerp: Re: realpath(3) et al > > > > On Tue, Aug 12, 2003 at 10:24:16AM +0200, Devon H. O'Dell wrote: > > > What sorts of security standards commissions are there, how much > > > does getting "standards certified" cost, and where should westart?> > > > I think the ballpark number I heard for a minimal certification > > under > > Common Criteria was $1.5m. > > > > -- Brooks > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org"-- Scott Lambert KC5MLE Unix SysAdmin lambert@lambertfam.org