Re: DJB's students release 44 *nix software vulnerability advisories

From: D. J. Bernstein (djb_at_cr.yp.to)
Date: 12/22/04

  • Next message: Jonathan Rockway: "Re: DJB's students release 44 *nix software vulnerability advisories" 
    Date: 22 Dec 2004 07:05:12 -0000
To: bugtraq@securityfocus.com

    Stephen Samuel writes:
    > crackers will have up to 8 hours to code and use your bug

    It's not _my_ bug. It's also not my student's bug. It's the _program's_
    bug. Sorry to have to break the news to you, but the attacker has had a
    _year_ to exploit the bug if the program was released a year ago.

    You're under the delusion that the bug's existence and exploitability
    were created by the messenger---the bug-report publisher---rather than
    by the original programmer. I realize that this is a common delusion,
    one of the big excuses for inadequate security efforts; one of the
    virtues of full disclosure is that it forcibly overrides the delusion.

    > I'm asking for a reasonable ammount of time for a responsible
    > programmer to ensure that his/her user community is properly served
    > and protected from the effects of the bugs.

    Same delusion: you think that users are protected from security holes if
    the security holes are patched before they're announced. Sorry, but
    that's not nearly fast enough. Protecting the users means making the
    programs secure before they're deployed in the first place.

    ---D. J. Bernstein, Associate Professor, Department of Mathematics,
    Statistics, and Computer Science, University of Illinois at Chicago

  • Next message: Jonathan Rockway: "Re: DJB's students release 44 *nix software vulnerability advisories"

    Relevant Pages

    • Re: c / c++ : is it end of era ?
      ... That's not a bug. ... It's a design decision. ... If you want a super-handholding, ultra-safe language, they are out ... hence he is not a C programmer. ...
      (comp.lang.c)
    • Re: Is this Recovery? Doesnt feel like it.
      ... Once, when I was a programmer, I got a bug report in our Hideous Bug ... sheer luck surviving in the original product because of the granularity ... of the memory allocator and the specific values of n chosen. ...
      (alt.sysadmin.recovery)
    • Re: Cobol work?
      ... I recently read a book on SAP deployment in which the author had ... Bug Free code does *not* exist even if you are Phi ... I've never seen a client that was anything but less than happy. ... and that one was by the same programmer. ...
      (comp.lang.cobol)
    • Re: What is a defect
      ... It could be something you as a tester are doing incorrectly or it ... Do you report this as a defect or do you work with the ... Does it look, smell, feel, sound like a bug? ... One significant point here is that the programmer is not your only ...
      (comp.software.testing)
    • Re: hardware errors, do C and Forth need different things in hardware?
      ... do what the comment says or it is a bug that *always* needs fixing ... maybe even needing hardware traps?" ... Any functioning C compiler will generate code that does exactly what it says. ... Your code is clearly a bug in *some* cases, but since C can't tell if this is a bug or the actual intent of the programmer, C will faithfully compile the code to do what the programmer wants-- just like Forth. ...
      (comp.lang.forth)