Re: Public disclosure of discovered vulnerabilities

From: David Wagner (daw_at_taverner.cs.berkeley.edu)
Date: 06/10/05 

Date: Fri, 10 Jun 2005 19:09:16 +0000 (UTC)

Vernon Schryver wrote:
>How many applications on computers connected even indirectly to the
>Internet by "sneaker net" don't handle at least some data from the
>Internet? Thus, you seem to be saying that every application is
>"security-critical."

I think that we are indeed we're heading in that direction. When it
is true, it speaks to a failure to architect our systems in a way that
is amenable for securing them, doesn't it?

I doubt it will be quite that bad. For instance, my laptop's software
for power management (hard drive spin-up/spin-down, etc.) probably are
not security-critical.

>It is inconsistent with your objection to someone's claim that all
>denial of service attacks are significant. Saying that all network
>connected or Internet data-processing applications are "security
>critical" is more wrong than saying that all denial of sevice attacks
>matter. Both are true, but only in exaggerated and trivializing senses.

I still don't see the inconsistency.

>If echo, discard, and time-of-day services are "security-critical,"
>then the notion of "security critical" should get the attention that
>Microsoft has historically paid to features such as executing programs
>that arrive by email for Outlook "thumbnails."

Not all security-critical applications are equally critical: some
are a greater risk than others. Obviously, you focus first on where
you can make the biggest difference, and where the biggest risk is.

At the moment, a web server is a higher risk than a MP3 player --
but don't be surprised if in the next decade we see exploits that
attack MP3 player applications (e.g., with malicious MP3 files).

Relevant Pages

  • RE: Why Easy To Use Software Is Putting You At Risk
    ... Why the following is wrong "Developers can add verification code before they send code to libraries" ... In some instances the result may be undesirable for certain applications where a given programme should have a unique interpretation. ... Finally you have to look at Pspace completeness and EXPTIME in respect to their effects in space complexity. ... Why Easy To Use Software Is Putting You At Risk ...
    (Security-Basics)
  • Re: [Full-disclosure] MD5 algorithm considered toxic (and harmful)
    ... any subsequent risk then from using it? ... applications using secure hash algorithms. ... Charter: http://lists.grok.org.uk/full-disclosure-charter.html ... Hosted and sponsored by Secunia - http://secunia.com/ ...
    (Full-Disclosure)
  • Re: Relay tx post DSO - why only 3 muxes?
    ... The govt kept saying no risk, ... As it is, nothing has been attributed to the exposure, that's ... suddenly die of exposure to chernobyl fall-out. ...
    (uk.tech.broadcast)
  • Re: [ot] bulk nanotube sheeting
    ... What are y'all talking about--are you saying it doesn't ... because I think these applications are totally useless--for ... other, construction, and plenty in solar power use. ... > Contact recommends the use of Firefox; ...
    (rec.arts.sf.written)
  • Re: Python component model
    ... that's just another way of saying that the scene remains ... stagnant, because I don't see any winners. ... ones are configurable applications, not libraries). ... After seeing WSGI being elevated to non-plumbing (since plumbing is ...
    (comp.lang.python)