[15625] in cryptography@c2.net mail archive
Re: Is finding security holes a good idea?
daemon@ATHENA.MIT.EDU (Eric Rescorla)
Wed Jun 16 09:11:00 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
To: Jerrold Leichter <jerrold.leichter@smarts.com>
Cc: tls@rek.tjls.com, cryptography@metzdowd.com
Reply-To: EKR <ekr@rtfm.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 15 Jun 2004 21:37:38 -0700
In-Reply-To: <Pine.GSO.4.58.0406151755450.5697@frame> (Jerrold Leichter's
message of "Tue, 15 Jun 2004 18:08:37 -0400 (EDT)")
Jerrold Leichter <jerrold.leichter@smarts.com> writes:
> | Thor Lancelot Simon <tls@rek.tjls.com> writes:
> |
> | > On Mon, Jun 14, 2004 at 08:07:11AM -0700, Eric Rescorla wrote:
> | >> Roughly speaking:
> | >> If I as a White Hat find a bug and then don't tell anyone, there's no
> | >> reason to believe it will result in any intrusions. The bug has to
> | >
> | > I don't believe that the premise above is valid. To believe it, I think
> | > I'd have to hold that there were no correlation between bugs I found and
> | > bugs that others were likely to find; and a lot of experience tells me
> | > very much the opposite.
> |
> | The extent to which bugs are independently rediscovered is certainly
> | an open question which hasn't received enough study. However, the
> | fact that relatively obvious and serious bugs seem to persist for
> | long periods of time (years) in code bases without being found
> | in the open literature, suggests that there's a fair amount of
> | independence.
> I don't find that argument at all convincing. After all, these bugs *are*
> being found!
Well, SOME bugs are being found. I don't know what you mean by
"these" bugs. We don't have any real good information about
the bugs that haven't been found. What makes you think that
there aren't 5x as many bugs still in the code that are basically
like the ones you've found?
> It's clear that having access to the sources is not, in and of itself,
> sufficient to make these bugs visible (else the developers of close-source
> software would find them long before independent white- or black-hats).
I don't think that's clear at all. It could be purely stochastic.
I.e. you look at a section of code, you find the bug with some
probability. However, there's a lot of code and the auditing
coverage isn't very deep so bugs persist for a long time.
-Ekr
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
