lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 9 Jul 2012 15:10:44 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Re: How much time is appropriate for fixing a bug?

"Thor (Hammer of God)" <thor@...merofgod.com> wrote:

> I must not have articulated my point properly as it looks like we are both
> saying the same thing.

No, we still disagree.

> What I was trying to convey was that if a person was actually concerned
> about the "industry" as opposed to self-promotion and ego-substantiation,
> then they would just notify the vendors and then get on with their lives
> irrespective of the vendors' ultimate remedy.

CVE can be shut down?

If bugs and vulnerabilities were not published there is
a) no (or little) incentive for the "industry" to fix them
b) no long term record to measure the "quality" of their products.

> As you say, there are any number of reasons why a vendor will or won't
> fix a bug, and/or when they will or won't fix it.

As long as they don't fix known vulnerabilities and bugs their products
are defective, and consumers can ask for a fix, a compensation or return
the defective products and get their money back.

> The "researcher" will never know the requirements or considerations.

There is no need to know the "industries" requirements or considerations.
As long as they continue to ship products which have not been built
according to the state of the art there is a need to push the "industry"
but to do so. Software engineering was coined almost 45 years ago!

> In that respect, you have to "trust" the vendor -

Cf. Ken Thompsons "reflections on trusting trust".
As long as nobody except the vendor knows their own design, test and
build process there is no way of building trust ... except by judging
the "quality" of their products and their response to vulnerability and
bug reports.

> again, *IF* you are not concerned with self promotion.

I'm but concerned about the lack of due diligence some vendors exercise
when they build their products.

Yes, bugs happen, and bugs get fixed. But some vendors make the same
mistakes over and over again. Which can only lead to the following
conclusions:
a) they dont have control or oversight over their developers and their
   build processes.
b) they dont care.

> When a vendor fixes a bug, why do people then post details on their find
> once it is patched?  For recognition.

Yes, for recognition of vulnerabilities and bugs, and for transparency,
and for the sake of the "market"!
Not all vendors publish their change logs and name the fixed vulnerabilities
and bugs.

Compare it to "food watch" or other activities to inform customers about
the "quality" of "industry" products!
Or just to create "public opinion".

> I'm not saying there's anything wrong with it - I've done it myself,
> purely for the reason of getting some acknowledgment.  I was just
> commenting on the "honesty" of Joro's "fuck 'em" comment.
>
> I think any more on the subject will just result in another flare-up of FD
> vs RD vs FO vs GGF, so I'll probably not spend too much more time on the
> thread - but please feel free to add whatever you may think I've missedS.

Stefan

> On 7/8/12 5:07 AM, "Stefan Kanthak" <stefan.kanthak@...go.de> wrote:
>
>>"Thor (Hammer of God)" <thor@...merofgod.com> wrote:
>>
>>| Content-Type: multipart/mixed; boundary="===============0734760750=="
>>
>>Please stop posting anything but text/plain.
>>
>>> If you really care about the security of the industry, then submit it
>>>and
>>> be done with it.  If and when they fix it is up to them.
>>
>>OUCH!?
>>The "industry" will (typically) not fix any error if the cost for fixing
>>exceeds the loss (or revenue) that this fix creates, including the vendors
>>gain/loss of reputation, gain/loss of stock value, loss of money in court
>>cases or due to compensations, loss of (future) sales due to
>>(dis-)satisfied
>>customers, ...
>>
>>Joe Average can't tell the difference between a program which is designed,
>>developed, built and maintained according to the state of the art, and
>>some
>>piece of crap that is not. He but only sees the (nice or promising) GUI of
>>the product and it's price tag.
>>
>>Stefan Kanthak

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ