lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 17 Dec 2004 23:35:03 +0000 (GMT)
From: Julian T J Midgley <jtjm@...oclast.org>
To: security curmudgeon <jericho@...rition.org>
Cc: bugtraq@...urityfocus.com, Thor Larholm <thor@...x.com>,
	"D. J. Bernstein" <djb@...yp.to>
Subject: Re: DJB's students release 44 *nix software vulnerability advisories


On Fri, 17 Dec 2004, security curmudgeon wrote:
>
> In each case, Professor Bernstein notified the author of the vulnerable
> package on Dec 15 via e-mail. This mail hit Bugtraq on the 16th, giving
> one day for vendors to provide fixes.
>
> Is the class on responsible disclosure next semester perhaps?

To be honest, I was pleasantly surprised that DJB had bothered to contact
the authors at all.  He once said, in a discussion about the
securesoftware mailing list, which he touted at the time as a competitor
to bugtraq:

"Immediate full disclosure, with a working exploit, punishes the
programmer for his bad code. He panics; he has to rush to fix the problem;
he loses users.

You're whining that punishment is painful. You're ignoring the effect
that punishment has on future behavior. It encourages programmers to
invest the time and effort necessary to eliminate security problems."

http://groups-beta.google.com/group/comp.security.unix/msg/e576548f53195b01

By which standard, 24 hours is the height of responsibility.  Admittedly,
the vulnerabilities were notified to the securesoftware list
(http://securesoftware.list.cr.yp.to/archives.html) concurrently with
author notification, but since there have been only 57 messages sent to
that list in the last three years, 44 of which were the student discovered
vulnerabilities themselves, I doubt it has a large readership ;-)

The actual notifications to the world (via slashdot and later bugtraq)
don't seem necessarily to have occurred at DJB's instigation, so he may
have been intending to give the authors a chance after all.

Notwithstanding all that, the course itself seems like an excellent idea
to me, and it will be interesting to see if useful statistics on the rates
incidence of security holes in software, and techniques for detecting them
and, ideally, preventing their inclusion in the first place, come out of
it.

Julian

-- 
Julian T. J. Midgley                       http://www.xenoclast.org/
Cambridge, England.
PGP: BCC7863F FP: 52D9 1750 5721 7E58 C9E1  A7D5 3027 2F2E BCC7 863F

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ