Is finding security holes a good idea?
Thor Lancelot Simon
tls at rek.tjls.com
Wed Jun 16 13:30:48 EDT 2004
On Tue, Jun 15, 2004 at 09:37:42PM -0700, Eric Rescorla wrote:
> "Arnold G. Reinhold" <reinhold at world.std.com> writes:
> > My other concern with the thesis that finding security holes is a bad
> > idea is that it treats the Black Hats as a monolithic group. I would
> > divide them into three categories: ego hackers, petty criminals, and
> > high-threat attackers (terrorists, organized criminals and evil
> > governments). The high-threat attackers are likely accumulating
> > vulnerabilities for later use. With the spread of programming
> > knowledge to places where labor is cheap, one can imagine very
> > dangerous systematic efforts to find security holes. In this context
> > the mere ego hackers might be thought of as beta testers for IT
> > security. We'd better keep fixing the bugs.
>
> This only follows if there's a high degree of overlap between the
> bugs that the black hats find and the bugs that white hats would
> find in their auditing efforts. That's precisely what is at
> issue.
Indeed it is -- and unless I misunderstand, you're claiming that there
is _not_ such a degree of overlap.
I think most people would tend to agree that humans working in the same
field generally work in similar ways; some, of course, are innovative
and exceptional, but in general most run-of-the-mill system programmers
have a lot of the same tools in their mental toolboxes and use them in
much the same way; and some of the time, even the innovative and
exceptional ones work in the same way as us drudges.
This, to me, makes your claim extremely counterintuitive and questionable;
it contradicts not only my intuition but my experience. I can't even
begin to count the number of bugs I've found by inspection of code (with
some other purpose in mind), forgotten to tell coworkers about or to fix
"right" such that the fixes could be committed, and then seen others
discover when they happened to cast their eyes over the same code fragment
days, weeks, or months later. And I have deliberately audited large
sections of code, prepared fixes, paused a couple of days or weeks to test
my results, and seen others deliberately or accidentally find and fix (or,
worse, exploit) the same bugs I'd laboriously churned up.
If you won't grant that humans experienced in a given field tend to think
in similar ways, fine. We'll just have to agree to disagree; but I think
you'll have a hard time making your case to anyone who _does_ believe that,
which I think is most people. If you do grant it, I think it behooves you
to explain why you don't believe that's the case as regards finding bugs;
or to withdraw your original claim, which is contingent upon it.
Thor
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list