[buug] security/bugs - if *only* it were better

Michael Paoli Michael.Paoli at cal.berkeley.edu
Wed Mar 27 08:43:34 PDT 2013

Ah, so, within the first 2 hours of my calendar day ...

So, a program[0], me thinks, "Ah, that could be useful to install", but
it's not part of Debian or Ubuntu ... though quite portable, signed, and
also available for such (.deb).  Hmmmm, me thinks, "And who wrote that
software?" ... never heard of 'em.  So, next I have a peek at the code.
And, not too long/hard into it, yeah, security vulnerabilities.  I check
if they've got any bug reporting/tracking on the code - nothing (or no
tracked bugs?) to be found.  So, I send 'em an encrypted signed email
with basic description of the issue.  I also did a quick Google search
on the general security issue they bumped into, and sent them 2 relevant
links from the top 5 hits on Google.

So, I shortly get a reply.  Hey, at least they're responsive!  :-)  But,
alas, they couldn't even decrypt the message, and even after I send it
to 'em in the clear they still miss what I'm talking about.  So, alas,
I spell it out in more detail outlining example proof-of-concept

Meanwhile, I also notice (and inform the above in my response to them),
of those two URLs about the general issue I pulled from Google.  One of
which included example code of how to do it securely?  <cough, cough>
Uhm, at first quick glance, yeah, but reading it more carefully and
critically, nope, the example itself[1] on how to do it securely and
properly, was itself not proper and secure.  Ugh.  But hey, it's a wiki
site, I can fix that.  Just sign up / register on the site and edit
away.  Uhm, except there's no https at all on the site, so that would
all go in the clear.  And their sign up / register is broken.  Yes, even
after I dumbed down nice secure fairly long password to nothing but
alphanumerics, and removed all other data that their form might
mishandle - yup, just plain doesn't work.  So I email the site contact
about that.  (And thankfully they're also fairly responsive and email me
back within several hours - and yes, they're aware of, and have been
intermittently experiencing the problem, but don't have a fix ... yet).

Doing security right is fairly hard.  But really, it's not *that* hard.
Even darn near bug free code is attainable[3].

So, yeah, found security bugs/errors in 2 completely separate sets of
code within the first 2 hours of my day, and without even especially
trying - those vulnerabilities did pretty much jump out at me when I
read/skimmed the code.  And that's not even counting issues of the wiki
site having no https and a broken sign up / register page.

"If builders built buildings the way programmers write programs, the
first woodpecker that came along would destroy civilization."
- Murphy's Laws of Computer Programming / Technology

0. Maybe more details *after*[2] it's fixed.  :-)
1. Maybe more details *after*[2] it's fixed.  :-)
2. http://en.wikipedia.org/wiki/Responsible_disclosure
3. http://www.fastcompany.com/28121/they-write-right-stuff

More information about the buug mailing list