lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <8EF358375815D411A62100062939D6DE1BAEBC@nt_server1.kickapoo.com>
Date: Thu, 22 Jan 2004 09:37:45 -0600
From: "Daniel Whelan" <daniel.whelan@...kapoocheese.com>
To: <bugtraq@...urityfocus.com>
Subject: RE: Paper announcement: Is finding security holes a good idea?


I am in a sinking ship.  The water flows in at a constant rate and does
not diminish.  I begin bailing.

After a little while, I notice that my efforts have had no 'measurable
effect'; the level of water in my ship has not gone down, so I decide to
focus my attention on trimming the sails or 'other' work . . .

Granted, the analogy is not perfect, but it holds some truth.

-----Original Message-----
From: Eric Rescorla [mailto:ekr@...m.com] 
Sent: Wednesday, January 21, 2004 5:42 PM
To: bugtraq@...urityfocus.com
Subject: Paper announcement: Is finding security holes a good idea?


Bugtraq readers might be interested in this paper:

                   Is finding security holes a good idea?

                             Eric Rescorla
                   RTFM, Inc.   <http://www.rtfm.com/>

A large amount of effort is expended every year on finding and patching
security holes. The underlying rationale for this activity is that it
increases welfare by decreasing the number of bugs available for
discovery and exploitation by bad guys, thus reducing the total cost of
intrusions. Given the amount of effort expended, we would expect to see
noticeable results in terms of improved software quality. However, our
investigation does not support a substantial quality improvement--the
data does not allow us to exclude the possibility that the rate of bug
finding in any given piece of software is constant over long periods of
time. If there is little or no quality improvement, then we have no
reason to believe that that the disclosure of bugs reduces the overall
cost of intrusions.

The paper can be downloaded from: http://www.rtfm.com/bugrate.pdf
http://www.rtfm.com/bugrate.ps





Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ