[15626] in cryptography@c2.net mail archive
Re: Is finding security holes a good idea?
daemon@ATHENA.MIT.EDU (Eric Rescorla)
Wed Jun 16 09:12:02 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
To: "Arnold G. Reinhold" <reinhold@world.std.com>
Cc: "Steven M. Bellovin" <smb@research.att.com>,
Ben Laurie <ben@algroup.co.uk>, cryptography@metzdowd.com
Reply-To: EKR <ekr@rtfm.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 15 Jun 2004 21:37:42 -0700
In-Reply-To: <a06002008bcf50a5194e8@[192.168.0.4]> (Arnold G. Reinhold's
message of "Wed, 16 Jun 2004 00:14:37 -0400")
"Arnold G. Reinhold" <reinhold@world.std.com> writes:
> My other concern with the thesis that finding security holes is a bad
> idea is that it treats the Black Hats as a monolithic group. I would
> divide them into three categories: ego hackers, petty criminals, and
> high-threat attackers (terrorists, organized criminals and evil
> governments). The high-threat attackers are likely accumulating
> vulnerabilities for later use. With the spread of programming
> knowledge to places where labor is cheap, one can imagine very
> dangerous systematic efforts to find security holes. In this context
> the mere ego hackers might be thought of as beta testers for IT
> security. We'd better keep fixing the bugs.
This only follows if there's a high degree of overlap between the
bugs that the black hats find and the bugs that white hats would
find in their auditing efforts. That's precisely what is at
issue.
-Ekr
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
