lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20041222070512.70836.qmail@cr.yp.to>
Date: 22 Dec 2004 07:05:12 -0000
From: "D. J. Bernstein" <djb@...yp.to>
To: bugtraq@...urityfocus.com
Subject: Re: DJB's students release 44 *nix software vulnerability advisories


Stephen Samuel writes:
> crackers will have up to 8 hours to code and use your bug

It's not _my_ bug. It's also not my student's bug. It's the _program's_
bug. Sorry to have to break the news to you, but the attacker has had a
_year_ to exploit the bug if the program was released a year ago.

You're under the delusion that the bug's existence and exploitability
were created by the messenger---the bug-report publisher---rather than
by the original programmer. I realize that this is a common delusion,
one of the big excuses for inadequate security efforts; one of the
virtues of full disclosure is that it forcibly overrides the delusion.

> I'm asking for a reasonable ammount of time for a responsible
> programmer to ensure that his/her user community is properly served
> and protected from the effects of the bugs.

Same delusion: you think that users are protected from security holes if
the security holes are patched before they're announced. Sorry, but
that's not nearly fast enough. Protecting the users means making the
programs secure before they're deployed in the first place.

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ