lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 22 Dec 2004 10:26:41 -0800
From: Crispin Cowan <crispin@...unix.com>
To: "D. J. Bernstein" <djb@...yp.to>
Cc: bugtraq@...urityfocus.com
Subject: Re: DJB's students release 44 *nix software vulnerability advisories


D. J. Bernstein wrote:

>Stephen Samuel writes:
>  
>
>>I'm asking for a reasonable ammount of time for a responsible
>>programmer to ensure that his/her user community is properly served
>>and protected from the effects of the bugs.
>>    
>>
>Same delusion: you think that users are protected from security holes if
>the security holes are patched before they're announced. Sorry, but
>that's not nearly fast enough. Protecting the users means making the
>programs secure before they're deployed in the first place.
>  
>
In theory, theory is just like practice. But in practice, it isn't.

In theory, I agree with DJB: an infinitely-funded adversary can hire a 
gang of code analysts to scour a code base looking for vulnerabilities 
and *not* publish them, effectively manufacturing private exploits in 
whatever quantity they are willing to pay for. It is conjectured that 
certain foreign governments are actually doing this.

But in practice, there is a *substantial* amount of epidemiological data 
that shows that wide-spread attacks against software follow shortly 
after the disclosure (responsible or otherwise) of a vulnerability. See 
Brown, Arbaugh et al A Trend Analysis of Exploitations 
<http://www.cs.umd.edu/%7Ewaa/pubs/CS-TR-4200.pdf> for great data on 
when attacks happen with respect to disclosure. Furthermore, if you 
force a fire drill in releasing the security patch, you compromise the 
quality of the patch. See my work on patch quality "Timing the 
Application of Security Patches for Optimal Uptime", Beattie et al 
Postscript 
<http://immunix.com/%7Ecrispin/time-to-patch-usenix-lisa02.ps.gz>. or 
ugly PDF <http://immunix.com/%7Ecrispin/time-to-patch-usenix-lisa02.pdf>.

So while I am sympathetic to DJB's passion for correct software and to 
hell with the tender feelings of developers who ship buggy code, in 
practice this kind of 0-day notice of vulnerabilities *mostly* just 
harms end-users.

Crispin

-- 
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix          http://immunix.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ