Is finding security holes a good idea?
Eric Rescorla
ekr at rtfm.com
Mon Jun 14 16:25:01 EDT 2004
Ariel Waissbein <Ariel.Waissbein at coresecurity.com> writes:
> >
> > Roughly speaking:
> > If I as a White Hat find a bug and then don't tell anyone, there's no
> > reason to believe it will result in any intrusions. The bug has to
> > become known to Black Hats before it can be used to mount
> > intrusions. This can either happen by Black Hats re-finding it or some
> > White Hat disclosing it. So, the question is, at least in part, what
> > the likelihood of these happening is...
> >
> > -Ekr
> >
>
> Eric,
> I'd say that the good part comes when the security community learns
> from its mistakes, builds a theory around it, and finds conclusive
> solutions to well defined and isolated problems. So that examples (bug
> reports) give the necessary intuition, they are valuable, and in fact,
> necessary.
I think it's importances to distinguish between new classes of
bugs and new instances of old bugs. I agree that new classes
of bugs are potentially interesting, however, I don't think
that this argument applies to the 513th buffer overflow.
See S 8.4 of the paper.
> My point is that, though your argument may be correct, you
> arrive at the conclusion that "bug reporting has no effects"
> arbitrarily.
I never claimed that. What I said was that the evidence that the
positive effects of bug reporting in terms of reduced intrusions did
not clearly offset the negative effects of said reporting.
> I do not mean to act like the old greeks, interested only in
> theoretical problems, and despising the empirical. I'd like to
> maintain InfoSec infraestructures safe as of ten years ago. But I will
> not get into a discussion on the process of "bug reporting", since the
> extensive threads all over cannot settle it. I am confindent that bugs
> need to be reported, eventually -the sooner the better. And that it is
> the software-development community's job to learn from this continuous
> reporting. Doing otherwise is neglecting reality.
I'm not sure how to answer this. In my view it's a bad idea to
be confident of propositions when one doesn't have empirical data
to support them.
-Ekr
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list