<div dir="ltr"><div>Your statement is a bit unfair. <a href="http://wiki.wireshark.org/Security">http://wiki.wireshark.org/Security</a> has a good explanation of why there are so many patches. I'd argue that "number of updates with the security flag" is a terrible metric of security in any product.</div>
<div><br></div><div><rant></div>Security is the act of mitigating risk, it's not an absolute. Calling something insecure is really unhelpful -- the risk you undertake by using the software depends on how and where you use it, and what compensating controls you have in place.<div>
<div><br></div><div>Example: Windows XP possibly deserves the label "miserably insecure". You put it on the Internet for a minute unpatched and it's quite likely infected. I have an unpatched XP Virtual machine I use for embedded development. I don't use the Internet on it. I regularly reset the snapshot back to a former state. Is that XP box really "insecure"?</div>
<div></rant><br><div><br></div><div>I will prefix the rest of this by saying I spoke at the Wireshark conference for its first three years, know many of the core team personally, and have even contributed an (embarrassingly small) patch to the product. So Trevor's message, while well-intentioned, struck a bit of a nerve.</div>
<div><br></div><div>If you didn't read the first link, the main point is that they have putting an emphasis on finding bugs lately, both through code reviews and automated static analysis. So the fact that you're seeing updates is because the team is driving out the bugs. Most OSS projects don't do this, so the only people looking for bugs are the bad guys.</div>
<div><br></div><div>The kinds of bugs found are often in the protocol dissectors. Unless you ignore the warnings, those all run unprivileged. Our adversary needs to be able to put packets on your network for you to display in Wireshark. We aren't on the same level as putting an unpatched Windows XP box on the open Internet.</div>
<div><br></div><div>So while I agree you should update frequently, unless you are in an environment where you expect people to be actively attacking you, you should not feel the least bit of worry when you run Wireshark, or the least bit of shame for something that might be called "miserably insecure".</div>
<div><br></div><div>If you still like reading, <a href="https://research.microsoft.com/en-us/people/mickens/thisworldofours.pdf">https://research.microsoft.com/en-us/people/mickens/thisworldofours.pdf</a> is actually pretty funny. There are a few themes, but the relevant one is "your security measures depends on your adversary. If the Mossad wants your data, there's nothing you can do. A good password is enough to keep your ex-boyfriend out of your computer though"</div>
<div><br></div></div></div><div>Sean</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Jan 17, 2014 at 3:46 AM, Trevor Cordes <span dir="ltr"><<a href="mailto:trevor@tecnopolis.ca" target="_blank">trevor@tecnopolis.ca</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Didn't have a chance to bring it up at the meeting, but I feel it's<br>
important to add that wireshark is probably the most frequently<br>
security-patched FOSS out there. I watch the security feed from Fedora<br>
and the package I see sec-updated most often is wireshark, probably<br>
followed by PHPMyAdmin. It's quite astonishing how miserably insecure<br>
wireshark is. (Hmm, too bad there doesn't seem to be a page or chart<br>
ranking FOSS by CVE count, unless someone else can find one.)<br>
<br>
So, if you use wireshark, do your package updates frequently and/or<br>
before each invocation of wireshark.<br>
<br>
This is a great argument for not using wireshark on Windows, as there<br>
is not yum/apt-get for it, AFAIK, meaning you'd be on your own to<br>
check for and install updates.<br>
_______________________________________________<br>
Roundtable mailing list<br>
<a href="mailto:Roundtable@muug.mb.ca">Roundtable@muug.mb.ca</a><br>
<a href="http://www.muug.mb.ca/mailman/listinfo/roundtable" target="_blank">http://www.muug.mb.ca/mailman/listinfo/roundtable</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>Sean Walberg <<a href="mailto:sean@ertw.com" target="_blank">sean@ertw.com</a>> <a href="http://ertw.com/" target="_blank">http://ertw.com/</a>
</div>