Re: Security researchers organization

From: Crispin Cowan (crispin_at_IMMUNIX.COM)
Date: 11/19/03

  • Next message: Maxwell Kanat-Alexander: "Re: Kerio Winroute Firewall Xroxy problem" 
    Date:         Wed, 19 Nov 2003 14:13:48 -0800
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Thor Larholm wrote:

    >>From: Russ [mailto:Russ.Cooper@rc.on.ca]
    >>(Was: Vulnerability Disclosure Formats (was "Re: Funny article"))
    >><snip http://tinyurl.com/ve83>
    >>Thor Larholm proposed the idea of a "Union" to me. While I don't like
    >>the concept of union's in this day and age, our field is one that
    >>could benefit from such an idea wrt discoverers. They are far too
    >>often bashed (and I have been guilty of this), and often not
    >>recognized for what they do.
    >>
    The Sardonix.org security auditing web site was designed to do something
    like this. It is not a "union", more like the Slashdot version of source
    code auditing. Sardonix provides:

        * Auditing resources: pointers to how-to's, tools, etc.
          http://sardonix.org/Auditing_Resources.html
        * Indexed lists of audited packages
          http://sardonix.org/Browse_Programs.html
        * Web form for submitting an audit
          http://sardonix.org/Submit_Audit.php which triggers a responsible
          disclosure process that follows the RFP
          <http://www.wiretrip.net/rfp/policy.html> disclosure protocol
        * Mailing list for all the usual reasons
          http://sardonix.org/Mailing_List.html

    The problem was that we threw a party and no one came: hundreds signed
    up for the mailing list, but a majority of submitted audits were pushed
    in by students of David Wagner @ Berkeley, who were told to submit
    audits as a class assignment.

    A subtle distinction may be the root cause here: Sardonix seeks to
    change the research model from "find a bug, win a prize! (fame & glory
    for half a day)" to "audit software, report what you find, and win a
    reputation for the long term." Having a pile of audited software is
    *much* more useful to admins than an endless stream of "gotcha again!"
    advisories. But from the lack of response from security investigators, I
    conjecture that "find a bug, win a prize!" is more fun to do, and so
    that's what investigators choose to do.

    I would just *love* to be wrong here. If there is something I can do to
    make Sardonix more attractive to investigators, without fundamentally
    changing its mission, sing out. I don't feel a need to change it over to
    "find a bug, win a prize" because Bugtraq, vuln-dev, etc. do a fine job
    of that: Sardonix is different to fill a perceived unmet need. But if it
    doesn't interest investigators, then it doesn't do anything at all. So
    how about it; what does it take to interest investigators?

    Thanks,
        Crispin 

    --
Crispin Cowan, Ph.D.           http://immunix.com/~crispin/
Chief Scientist, Immunix       http://immunix.com
            http://www.immunix.com/shop/
-----
Marcus Ranum's new book "The Myth of Homeland Security" is now out and
is available from http://www.amazon.com/ranum In this hard-hitting
review of the homeland security business, Ranum shows us how the problem
is vastly harder than it's being made to sound, and how special
interests, *** covering, and bureaucracy are threatening to derail any
chance of making progress.
-----
  • Next message: Maxwell Kanat-Alexander: "Re: Kerio Winroute Firewall Xroxy problem"