[RndTbl] wireshark warning

Sean Walberg sean at ertw.com
Fri Jan 17 08:36:58 CST 2014


Your statement is a bit unfair. http://wiki.wireshark.org/Security has a
good explanation of why there are so many patches. I'd argue that "number
of updates with the security flag" is a terrible metric of security in any
product.

<rant>
Security is the act of mitigating risk, it's not an absolute. Calling
something insecure is really unhelpful -- the risk you undertake by using
the software depends on how and where you use it, and what compensating
controls you have in place.

Example: Windows XP possibly deserves the label "miserably insecure". You
put it on the Internet for a minute unpatched and it's quite likely
infected. I have an unpatched XP Virtual machine I use for embedded
development. I don't use the Internet on it. I regularly reset the snapshot
back to a former state. Is that XP box really "insecure"?
</rant>

I will prefix the rest of this by saying I spoke at the Wireshark
conference for its first three years, know many of the core team
personally, and have even contributed an (embarrassingly small) patch to
the product. So Trevor's message, while well-intentioned, struck a bit of a
nerve.

If you didn't read the first link, the main point is that they have putting
an emphasis on finding bugs lately, both through code reviews and automated
static analysis. So the fact that you're seeing updates is because the team
is driving out the bugs. Most OSS projects don't do this, so the only
people looking for bugs are the bad guys.

The kinds of bugs found are often in the protocol dissectors. Unless you
ignore the warnings, those all run unprivileged. Our adversary needs to be
able to put packets on your network for you to display in Wireshark. We
aren't on the same level as putting an unpatched Windows XP box on the open
Internet.

So while I agree you should update frequently, unless you are in an
environment where you expect people to be actively attacking you, you
should not feel the least bit of worry when you run Wireshark, or the least
bit of shame for something that might be called "miserably insecure".

If you still like reading,
https://research.microsoft.com/en-us/people/mickens/thisworldofours.pdf is
actually pretty funny. There are a few themes, but the relevant one is
"your security measures depends on your adversary. If the Mossad wants your
data, there's nothing you can do. A good password is enough to keep your
ex-boyfriend out of your computer though"

Sean


On Fri, Jan 17, 2014 at 3:46 AM, Trevor Cordes <trevor at tecnopolis.ca> wrote:

> Didn't have a chance to bring it up at the meeting, but I feel it's
> important to add that wireshark is probably the most frequently
> security-patched FOSS out there.  I watch the security feed from Fedora
> and the package I see sec-updated most often is wireshark, probably
> followed by PHPMyAdmin.  It's quite astonishing how miserably insecure
> wireshark is.  (Hmm, too bad there doesn't seem to be a page or chart
> ranking FOSS by CVE count, unless someone else can find one.)
>
> So, if you use wireshark, do your package updates frequently and/or
> before each invocation of wireshark.
>
> This is a great argument for not using wireshark on Windows, as there
> is not yum/apt-get for it, AFAIK, meaning you'd be on your own to
> check for and install updates.
> _______________________________________________
> Roundtable mailing list
> Roundtable at muug.mb.ca
> http://www.muug.mb.ca/mailman/listinfo/roundtable
>



-- 
Sean Walberg <sean at ertw.com>    http://ertw.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.muug.mb.ca/pipermail/roundtable/attachments/20140117/67245dbb/attachment.html>


More information about the Roundtable mailing list