The chill of October (a great song by Client)

To keep on bullying^Wreviewing Linux distributions, I've installed Mandriva/Mandrakelinux/Mandrake Linux (whatever) now, as promised earlier. I found it stylish and helpful and equipped with a nice collection of software. On the other hand, I had some installation problems: it left me with a U.S. keyboard, X expected to find the mouse at /dev/mouse and not /dev/mouse0 so it couldn't access it at all, and I couldn't access the floppy drive either. All these problems were easy to solve, but seeing as they target newcomers to Linux, perhaps they should polish their installation system a bit more so people won't end up with a broken system. Some people don't want to use emacs to edit XF86Config, you know.

Vanity Fair

Some guy e-mailed me about one month ago and asked how to find vulnerabilities in software. (Respectable enough, as long as they don't ask "can u t3ach m3 2 b-c0m3 a 31337 h4xx0r" it's fine.) Here is an expanded version of my reply:

To find new vulnerabilities, first you need to know the programming language and environment well, so study C and so on if you don't. Theo de Raadt from OpenBSD says that security problems are quality problems with people making subtle mistakes, and you won't find those mistakes unless you know better than the original authors how things work.

Some people (JT!!) that asked this question earlier seemed to expect an answer of the type "look for all strcpy() calls". Unfortunately, there is no such answer, because it depends on the program. Functions like strcpy(), strcat(), sprintf(), strncpy(), strncat(), sscanf() and so on are sometimes buffer overflows, sometimes not. To do this well, you should learn C and not just look for certain strings in code that you don't understand at all.

You'll probably need a program for source code navigation, so you'll quickly find all places where an interesting function in the program gets called. Some nice open source programs for that include lxr, gonzui and cscope.

Some people also find automated scanning programs like flawfinder and rats helpful. I don't, really, but they might be worth checking out.

Good luck!

(That probably sounded horribly vain, but that goes with the genre, I guess. Is it even possible to write blogs or Internet diaries without sounding like you're bragging?)

xyzzy

"Whereof one cannot speak, thereof one must be silent." -- Ludwig Wittgenstein