Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 6 Mar 2016 13:29:59 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies

On Sun, Mar 06, 2016 at 09:27:00AM +0300, gremlin@...mlin.ru wrote:
> On 2016-03-05 20:20:39 +0300, Solar Designer wrote:
>  > Problem solved:
>  > http://www.openwall.com/ove
> 
> Hmmm... sorry to say, but I've garbaged 21 IDs by simply visiting
> this page and reloading it twice just to see what would happen :-)

A few people said they felt sorry about that, but I think this is
actually OK.

> So I'd suggest adding a BRB (Big Red Button) for those who actually
> need an ID,

I had thought of that and decided to do without it for now.  (Also
considered captcha.)  I like to emphasize how very easy it is to obtain
OVE IDs.  Not even having to click a button serves that goal well.

I don't mind adding a button a bit later, though.  We'll see.

> and displaying some statistics ("1234 IDs were assigned
> today") for everyone else.

This is currently available through OVE IDs themselves - they are
sequential, starting with 0001 at midnight UTC.

>  > Having IDs is of some use even without or before all of that.
> 
> Yes. So prepare for the above link to become really popular.

As it is, it should survive quite a few thousand of unique IPs per day
(and yes, it temporarily records per IP address statistics, and it has
per-IP and per-netblock limits), before (gradually) denying service for
the rest of the day.  It might or might not survive a Slashdot-alike
event, but even if not then waiting a day for the next batch of IDs is
quicker than waiting weeks for CVE IDs.

BTW, there is not a hard-coded limit of 9999.  There is logic in place
to try and keep the daily IDs within 9999 (the service becomes less
generous as the 4-digit space gets closer to being exhausted), but if
the requests and unique IPs are too numerous this may be crossed anyway,
resulting in 5- or 6-digit IDs (and going back to 4-digit the next day).

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ