| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 22 Dec 2004 07:05:12 -0000 From: "D. J. Bernstein" <djb@...yp.to> To: bugtraq@...urityfocus.com Subject: Re: DJB's students release 44 *nix software vulnerability advisories Stephen Samuel writes: > crackers will have up to 8 hours to code and use your bug It's not _my_ bug. It's also not my student's bug. It's the _program's_ bug. Sorry to have to break the news to you, but the attacker has had a _year_ to exploit the bug if the program was released a year ago. You're under the delusion that the bug's existence and exploitability were created by the messenger---the bug-report publisher---rather than by the original programmer. I realize that this is a common delusion, one of the big excuses for inadequate security efforts; one of the virtues of full disclosure is that it forcibly overrides the delusion. > I'm asking for a reasonable ammount of time for a responsible > programmer to ensure that his/her user community is properly served > and protected from the effects of the bugs. Same delusion: you think that users are protected from security holes if the security holes are patched before they're announced. Sorry, but that's not nearly fast enough. Protecting the users means making the programs secure before they're deployed in the first place. ---D. J. Bernstein, Associate Professor, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago
Powered by blists - more mailing lists