Re: DJB's students release 44 *nix software vulnerability advisories

From: Julian T J Midgley (jtjm_at_xenoclast.org)
Date: 12/18/04

  • Next message: Martin Pitt: "[USN-41-1] Samba vulnerability"
    Date: Fri, 17 Dec 2004 23:35:03 +0000 (GMT)
    To: security curmudgeon <jericho@attrition.org>
    
    

    On Fri, 17 Dec 2004, security curmudgeon wrote:
    >
    > In each case, Professor Bernstein notified the author of the vulnerable
    > package on Dec 15 via e-mail. This mail hit Bugtraq on the 16th, giving
    > one day for vendors to provide fixes.
    >
    > Is the class on responsible disclosure next semester perhaps?

    To be honest, I was pleasantly surprised that DJB had bothered to contact
    the authors at all. He once said, in a discussion about the
    securesoftware mailing list, which he touted at the time as a competitor
    to bugtraq:

    "Immediate full disclosure, with a working exploit, punishes the
    programmer for his bad code. He panics; he has to rush to fix the problem;
    he loses users.

    You're whining that punishment is painful. You're ignoring the effect
    that punishment has on future behavior. It encourages programmers to
    invest the time and effort necessary to eliminate security problems."

    http://groups-beta.google.com/group/comp.security.unix/msg/e576548f53195b01

    By which standard, 24 hours is the height of responsibility. Admittedly,
    the vulnerabilities were notified to the securesoftware list
    (http://securesoftware.list.cr.yp.to/archives.html) concurrently with
    author notification, but since there have been only 57 messages sent to
    that list in the last three years, 44 of which were the student discovered
    vulnerabilities themselves, I doubt it has a large readership ;-)

    The actual notifications to the world (via slashdot and later bugtraq)
    don't seem necessarily to have occurred at DJB's instigation, so he may
    have been intending to give the authors a chance after all.

    Notwithstanding all that, the course itself seems like an excellent idea
    to me, and it will be interesting to see if useful statistics on the rates
    incidence of security holes in software, and techniques for detecting them
    and, ideally, preventing their inclusion in the first place, come out of
    it.

    Julian

    -- 
    Julian T. J. Midgley                       http://www.xenoclast.org/
    Cambridge, England.
    PGP: BCC7863F FP: 52D9 1750 5721 7E58 C9E1  A7D5 3027 2F2E BCC7 863F
    

  • Next message: Martin Pitt: "[USN-41-1] Samba vulnerability"

    Relevant Pages