lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 19 Nov 2003 14:13:48 -0800
From: Crispin Cowan <crispin@...unix.com>
To: Thor Larholm <thor@...x.com>
Cc: Russ <Russ.Cooper@...on.ca>,
	"Steven M. Christey" <coley@...re.org>, bugtraq@...urityfocus.com,
	NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM,
	Sardonix Security Auditing <sardonix@...unix.com>
Subject: Re: Security researchers organization


Thor Larholm wrote:

>>From: Russ [mailto:Russ.Cooper@...on.ca]
>>(Was: Vulnerability Disclosure Formats (was "Re: Funny article"))
>><snip http://tinyurl.com/ve83>
>>Thor Larholm proposed the idea of a "Union" to me. While I don't like 
>>the concept of union's in this day and age, our field is one that 
>>could benefit from such an idea wrt discoverers. They are far too 
>>often bashed (and I have been guilty of this), and often not 
>>recognized for what they do.
>>
The Sardonix.org security auditing web site was designed to do something 
like this. It is not a "union", more like the Slashdot version of source 
code auditing. Sardonix provides:

    * Auditing resources: pointers to how-to's, tools, etc.
      http://sardonix.org/Auditing_Resources.html
    * Indexed lists of audited packages
      http://sardonix.org/Browse_Programs.html
    * Web form for submitting an audit
      http://sardonix.org/Submit_Audit.php which triggers a responsible
      disclosure process that follows the RFP
      <http://www.wiretrip.net/rfp/policy.html> disclosure protocol
    * Mailing list for all the usual reasons
      http://sardonix.org/Mailing_List.html

The problem was that we threw a party and no one came: hundreds signed 
up for the mailing list, but a majority of submitted audits were pushed 
in by students of David Wagner @ Berkeley, who were told to submit 
audits as a class assignment.

A subtle distinction may be the root cause here: Sardonix seeks to 
change the research model from "find a bug, win a prize! (fame & glory 
for half a day)" to "audit software, report what you find, and win a 
reputation for the long term." Having a pile of audited software is 
*much* more useful to admins than an endless stream of "gotcha again!" 
advisories. But from the lack of response from security investigators, I 
conjecture that "find a bug, win a prize!" is more fun to do, and so 
that's what investigators choose to do.

I would just *love* to be wrong here. If there is something I can do to 
make Sardonix more attractive to investigators, without fundamentally 
changing its mission, sing out. I don't feel a need to change it over to 
"find a bug, win a prize" because Bugtraq, vuln-dev, etc. do a fine job 
of that: Sardonix is different to fill a perceived unmet need. But if it 
doesn't interest investigators, then it doesn't do anything at all. So 
how about it; what does it take to interest investigators?

Thanks,
    Crispin

-- 
Crispin Cowan, Ph.D.           http://immunix.com/~crispin/
Chief Scientist, Immunix       http://immunix.com
            http://www.immunix.com/shop/




Powered by blists - more mailing lists