[15613] in cryptography@c2.net mail archive
Re: Is finding security holes a good idea?
daemon@ATHENA.MIT.EDU (Eric Rescorla)
Mon Jun 14 16:39:48 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
To: Ariel Waissbein <Ariel.Waissbein@coresecurity.com>
Cc: Ben Laurie <ben@algroup.co.uk>, cryptography@metzdowd.com
Reply-To: EKR <ekr@rtfm.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 14 Jun 2004 13:25:01 -0700
In-Reply-To: <40CE0479.30202@coresecurity.com> (Ariel Waissbein's message of
"Mon, 14 Jun 2004 17:03:05 -0300")
Ariel Waissbein <Ariel.Waissbein@coresecurity.com> writes:
> >
> > Roughly speaking:
> > If I as a White Hat find a bug and then don't tell anyone, there's no
> > reason to believe it will result in any intrusions. The bug has to
> > become known to Black Hats before it can be used to mount
> > intrusions. This can either happen by Black Hats re-finding it or some
> > White Hat disclosing it. So, the question is, at least in part, what
> > the likelihood of these happening is...
> >
> > -Ekr
> >
>
> Eric,
> I'd say that the good part comes when the security community learns
> from its mistakes, builds a theory around it, and finds conclusive
> solutions to well defined and isolated problems. So that examples (bug
> reports) give the necessary intuition, they are valuable, and in fact,
> necessary.
I think it's importances to distinguish between new classes of
bugs and new instances of old bugs. I agree that new classes
of bugs are potentially interesting, however, I don't think
that this argument applies to the 513th buffer overflow.
See S 8.4 of the paper.
> My point is that, though your argument may be correct, you
> arrive at the conclusion that "bug reporting has no effects"
> arbitrarily.
I never claimed that. What I said was that the evidence that the
positive effects of bug reporting in terms of reduced intrusions did
not clearly offset the negative effects of said reporting.
> I do not mean to act like the old greeks, interested only in
> theoretical problems, and despising the empirical. I'd like to
> maintain InfoSec infraestructures safe as of ten years ago. But I will
> not get into a discussion on the process of "bug reporting", since the
> extensive threads all over cannot settle it. I am confindent that bugs
> need to be reported, eventually -the sooner the better. And that it is
> the software-development community's job to learn from this continuous
> reporting. Doing otherwise is neglecting reality.
I'm not sure how to answer this. In my view it's a bad idea to
be confident of propositions when one doesn't have empirical data
to support them.
-Ekr
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
