Is finding security holes a good idea?
Eric Rescorla
ekr at rtfm.com
Wed Jun 16 00:37:42 EDT 2004
"Arnold G. Reinhold" <reinhold at world.std.com> writes:
> My other concern with the thesis that finding security holes is a bad
> idea is that it treats the Black Hats as a monolithic group. I would
> divide them into three categories: ego hackers, petty criminals, and
> high-threat attackers (terrorists, organized criminals and evil
> governments). The high-threat attackers are likely accumulating
> vulnerabilities for later use. With the spread of programming
> knowledge to places where labor is cheap, one can imagine very
> dangerous systematic efforts to find security holes. In this context
> the mere ego hackers might be thought of as beta testers for IT
> security. We'd better keep fixing the bugs.
This only follows if there's a high degree of overlap between the
bugs that the black hats find and the bugs that white hats would
find in their auditing efforts. That's precisely what is at
issue.
-Ekr
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list