Jump to content

independent security audit

Guest Coastie

By Guest Coastie
in Feedback

Recommended Posts

  • Replies 59
  • Created
  • Last Reply
Brandon C Collaborator

Brandon C

Posted
Posted

I think these independent security audits need to be channeled to another company/individual who can better suit the bill as obviously Gulftech aren't doing a good job (as it was in testing and auditing with them for a long while, and here Tom comes in two days and finds a lot), considering at least 5 or more major exploits were discovered by Tom in a short series of two days in IPB 2.2.0 recently.

Link to comment
Share on other sites
Tim Dorr Rookie

Tim Dorr

Posted
Posted

Call me ignorant, but who is this Tom fellow everyone's talking about?

One of my friend's,

Someotherguy

, has modified our IPB 2.1 installation to check all new posts against Akismet. I'm sure he wouldn't mind if you wanted to contact him about it.



I just made a small hack to limit posting links before you have 3 posts on our forum. It's been extremely effective so far.
Link to comment
Share on other sites
Amy T Collaborator

Amy T

Posted
Posted

I think these independent security audits need to be channeled to another company/individual who can better suit the bill as obviously Gulftech aren't doing a good job (as it was in testing and auditing with them for a long while, and here Tom comes in two days and finds a lot), considering at least 5 or more major exploits were discovered by Tom in a short series of two days in IPB 2.2.0 recently.


where did you find this data?
Link to comment
Share on other sites
Brandon C Collaborator

Brandon C

Posted
Posted

where did you find this data?



Which part? Gulftech are the company that does independent security audits for IPS. Tom (as linked to above) has found many exploits in IPB in the past, and I even permitted him to do one of the exploits on my IPB 2.2.0 dev board and he got into it with no problem. ^_^
Link to comment
Share on other sites
Dark Phantom Newbie

Dark Phantom

Posted
Posted

Which part? Gulftech are the company that does independent security audits for IPS. Tom (as linked to above) has found many exploits in IPB in the past, and I even permitted him to do one of the exploits on my IPB 2.2.0 dev board and he got into it with no problem. ^_^



It doesn't mean that Gulftech, did not find those same exploits.

Let me put it this way, who knows how bad IPB 2.2.x would be without the security audit that took place ( lets face it, enough changed that it could have been a huge problem ). Needless to say, no independent security firm would find every single issue, and the time they took might have been caused by any number of possible issues.

Like I said, enough changed that several weeks on each new feature that was added would be more then reasonable for a security firm. Let me put it this way, IPB 2.2.0 was developed for a really long time, and any delay of IPB 2.2.x was because of the amount of work that went into it.
Link to comment
Share on other sites
Brandon C Collaborator

Brandon C

Posted
Posted

It doesn't mean that Gulftech, did not find those same exploits.



Let me put it this way, who knows how bad IPB 2.2.x would be without the security audit that took place ( lets face it, enough changed that it could have been a huge problem ). Needless to say, no independent security firm would find every single issue, and the time they took might have been caused by any number of possible issues.



Like I said, enough changed that several weeks on each new feature that was added would be more then reasonable for a security firm. Let me put it this way, IPB 2.2.0 was developed for a really long time, and any delay of IPB 2.2.x was because of the amount of work that went into it.



Don't get me wrong; I'm not bashing IPS for their actions. However, being one of the most widely recognized security auditing companies on the internet, and after auditing IPB for that long and not finding that many major exploits (even if they found any; I don't know whether they did or not), and then you have an individual come along and finds several major exploits in IPB in two days is quite odd. I'm just articulating feedback appropriately for IPS in the fact that they should take this into decision when doing future independent security audits for their products, as the events that have happened in regards to these exploits being found by an individual and missed by a company and a team whose job is that worries me, and tells me something is wrong with that. IPS need to re-evaluate the situation at-hand and make changes accordingly by outsourcing to more than one independent security auditing company with a proven record besides Gulftech for maximum efficiency and security purposes.
Link to comment
Share on other sites
Dark Phantom Newbie

Dark Phantom

Posted
Posted

Don't get me wrong; I'm not bashing IPS for their actions. However, being one of the most widely recognized security auditing companies on the internet, and after auditing IPB for that long and not finding that many major exploits (even if they found any; I don't know whether they did or not), and then you have an individual come along and finds several major exploits in IPB in two days is quite odd. I'm just articulating feedback appropriately for IPS in the fact that they should take this into decision when doing future independent security audits for their products, as the events that have happened in regards to these exploits being found by an individual and missed by a company and a team whose job is that worries me, and tells me something is wrong with that. IPS need to re-evaluate the situation at-hand and make changes accordingly by outsourcing to more than one independent security auditing company with a proven record besides Gulftech for maximum efficiency and security purposes.



I actually don't disagree with you, how about we agree that IPS should look into using multiple security firms in the future to bring the best possible products to its customer :-)

Like I said, no company would find all the issues, so multiple firms look at things in different ways is the best solution.

Plus it sounds better then saying they should think about switching companies :-)
Link to comment
Share on other sites
Brandon C Collaborator

Brandon C

Posted
Posted

I actually don't disagree with you, how about we agree that IPS should look into using multiple security firms in the future to bring the best possible products to its customer :-)



Like I said, no company would find all the issues, so multiple firms look at things in different ways is the best solution.



Plus it sounds better then saying they should think about switching companies :-)



Yeah, sorry if I portrayed it that way, because I didn't mean to. That's what I was trying to convey and fully agree/support this suggestion that Dark Phantom and I have stated. :)
Link to comment
Share on other sites
Amy T Collaborator

Amy T

Posted
Posted

Which part? Gulftech are the company that does independent security audits for IPS. Tom (as linked to above) has found many exploits in IPB in the past, and I even permitted him to do one of the exploits on my IPB 2.2.0 dev board and he got into it with no problem. ^_^


A link to where you got the data would be helpful.
Link to comment
Share on other sites
Amy T Collaborator

Amy T

Posted
Posted

Again, could you please specify "the data" you are referring to? There are no publically published links for the security exploits that Tom has found.


then how do you know he found them?
I am not asking for proof I am asking how Tom came into play.
The first time I heard of him finding any thing was in this thread.
what I am asking is how you know he found them.

It is not that I do not believe you but it is confusing to me.
Link to comment
Share on other sites
Brandon C Collaborator

Brandon C

Posted
Posted

then how do you know he found them?


I am not asking for proof I am asking how Tom came into play.


The first time I heard of him finding any thing was in this thread.


what I am asking is how you know he found them.



It is not that I do not believe you but it is confusing to me.



As I already stated before:

Which part? Gulftech are the company that does independent security audits for IPS. Tom (as linked to above) has found many exploits in IPB in the past, and

I even permitted him to do one of the exploits on my IPB 2.2.0 dev board and he got into it with no problem.

^_^



I talked to Tom on MSN about it when he first found them, if you must know.


Also, Matt stated it on one of his recent blog entries: http://blog.mattmecham.com/archives/2006/11/dear_diary.html

Now that IPB is back off to have a final security audit

(and thanks to Tom for his work in identifying a few areas (ahem) that needed improvement)
Link to comment
Share on other sites
Amy T Collaborator

Amy T

Posted
Posted

As I already stated before:





I talked to Tom on MSN about it when he first found them, if you must know.


Also, as it states on Matt's blog at:

http://blog.mattmecham.com/archives/2006/11/dear_diary.html

Thank you that is what I was asking for.
I do apologize for not seeing it right away.
I was following a different path on this thread and all at once I hear a name and do not know why and now thanks to you I do know why.
You have provided me with the data I asked. Thank you.
Link to comment
Share on other sites
  • Management
Matt Grand Master

Matt

Posted
  • Management
Posted

Ok, let me set the record straight by mentioning that each release of IPB 2.2.0 has been labeled as 'un-supported' and not fit for use as a public board.

During an early beta release, we sent the code off to Gulftech for the first-pass audit. Gulftech found a few general areas for improvement (extra parsing on all incoming variables, stripping off null byte characters, etc). The agreement we had with Gulftech was for a two stage audit.
A 'general' one to identify large areas that required improvement and then a final audit of the final (or near-final) code so that we could identify any areas of code that could be exploited. It made sense to do it this way rather than pay for a single audit on beta code and run the risk of the beta / RC stage changes to the code creating another vulnerability.

Now, Tom - a regular of the IPB community and an all round good-guy had a peek at IPB 2.2.0 and noticed a lack of cleaning in the IP.Converge folder. He notified us and we sorted it out on the next release. Tom also wrote in with some other issues he'd spotted. A few of them we couldn't get working, another was already fixed due to input cleaning being applied in the converge folders and a potential 'register_globals' issue that we couldn't reproduce. It's a bit of a stretch to say that Tom identified 5 "major vulnerabilities" - I fear this just sensationalism rather than something Tom has said directly.

Tom has been a massive help and we've given him our thanks for letting us know of the issues. We are confident that Gulftech would have highlighted them on the final audit but we're certainly grateful for his professionalism and expertise.

I would like to conclude that it would be a stretch of marketing verbiage to claim that the security audit will find every single area that may be exploited. Security is a moving target and new vulnerabilities are always being found in apache, PHP and MySQL as well as Firefox and IE. The audit is just a pro-active step in making IPB the most secure release possible. We take security extremely seriously and our big name customers (AMD, Nvidia, NBC, Sony, etc) are always targets of malicious users so extra precaution is a wise step.

Link to comment
Share on other sites
Guest

Guest

Posted
Posted

multiple security firms wouldn't be reachable, this would mean another price increase for ipb. it's more than high enough as they are now with the new announced ones.

don't understand me wrong I'm glad IPS is having security audits, having one by multiple firms seems over the top.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Invision Community © 2024 IPS, Inc.
×
×
  • Create New...