Is finding security holes a good idea?

Eric Rescorla ekr at rtfm.com
Wed Jun 16 00:37:38 EDT 2004 

Jerrold Leichter <jerrold.leichter at smarts.com> writes:

> | Thor Lancelot Simon <tls at rek.tjls.com> writes:
> |
> | > On Mon, Jun 14, 2004 at 08:07:11AM -0700, Eric Rescorla wrote:
> | >> Roughly speaking:
> | >> If I as a White Hat find a bug and then don't tell anyone, there's no
> | >> reason to believe it will result in any intrusions.  The bug has to
> | >
> | > I don't believe that the premise above is valid.  To believe it, I think
> | > I'd have to hold that there were no correlation between bugs I found and
> | > bugs that others were likely to find; and a lot of experience tells me
> | > very much the opposite.
> |
> | The extent to which bugs are independently rediscovered is certainly
> | an open question which hasn't received enough study. However, the
> | fact that relatively obvious and serious bugs seem to persist for
> | long periods of time (years) in code bases without being found
> | in the open literature, suggests that there's a fair amount of
> | independence.
> I don't find that argument at all convincing.  After all, these bugs *are*
> being found!

Well, SOME bugs are being found. I don't know what you mean by
"these" bugs. We don't have any real good information about
the bugs that haven't been found. What makes you think that
there aren't 5x as many bugs still in the code that are basically
like the ones you've found?


> It's clear that having access to the sources is not, in and of itself,
> sufficient to make these bugs visible (else the developers of close-source
> software would find them long before independent white- or black-hats).

I don't think that's clear at all. It could be purely stochastic.
I.e. you look at a section of code, you find the bug with some
probability. However, there's a lot of code and the auditing
coverage isn't very deep so bugs persist for a long time. 

-Ekr


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list