Ethereal-dev: Re: [Ethereal-dev] FYI

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Andrew Hood <ajhood@xxxxxxxxx>
Date: Thu, 27 Oct 2005 08:04:01 +1000
Gilbert Ramirez wrote:
> This is both a good and bad statistic.
> 
> Bad in that we have so many bugs.
> 
> Good in that we used to have more bugs, but they went unnoticed. Now
> we have a system in place that actively looks for bugs by feeding
> ethereal strange data to see what happens.
> 
> So, it's good the bugs are finally being found.
> 
> --gilbert
> 
> On 10/26/05, Radek Vokál <rvokal@xxxxxxxxxx> wrote:
> 
>>9% of vulnerabilities across all RHEL are in ethereal ..
>>
>>http://www.advogato.org/person/mjcox/diary.html?start=141

Some other observations

Nothing else in the list exposes itself to anything like the number of
potential attacks that Ethereal does. Intrusion Detection Systems would
probably be the best example of something that does. (e.g. I've just
upgraded Snort because of the BO bug.)

And that Ethereal should be considered bleeding edge. It sometimes
implements decodes based on experimental or reverse engineered
information for protocols, usually because someone "needs it now". The
assumptions made may not be valid.

And that Ethereal has contributors with varying levels of security
awareness in programming.

Should there be a --disable-unverified configure option (rather than
having to know which bits are under active development) for people with
security paranoia. And then have the contributors determine when a new
disector gets the "Good Decoding Seal of Approval".

-- 
There's no point in being grown up if you can't be childish sometimes.
                -- Dr. Who