lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <A43A11B70AE4F44E93C14D7B4589D48AB257D9@xcgcaf01.northgrum.com>
Date: Tue, 21 Dec 2004 14:31:16 -0800
From: "Manning, Robert (Mission Systems)" <Bob.Manning@....com>
To: "D. J. Bernstein" <djb@...yp.to>, <bugtraq@...urityfocus.com>
Subject: RE: DJB's students release 44 *nix software vulnerability advisories


Actually, I think this would make for a fascinating course. If I were teaching it, I don't know that I would have insisted on each student finding 10 holes, that does seem too optimistic. Rather, I would think requiring students to document their efforts at attempting to find holes, and assign extra credit for those who actually discover them. That would allow all students an equal chance at a grade, without penalizing those who aren't fortunate enough (as it were) to run across a vulnerability.

This sort of course is well outside what those in academia think of as the normal CS curriculum (see http://www.computer.org/cspress/CATALOG/cs01499.htm). Instead of criticism, I would think that we in the software industry (and especially those of us who also teach CS) should champion inventive (and currently quite relevant) courses such as this. It is hard to convince those who make such decisions to allow such courses, especially in light of insufficient precedence (the bureaucratic inertia of academia rivals that of other government offices).

Arguing over how to classify an exploit seems to be fair game for this list, but you folks often forget just how 'l33t you are. You forget how long it took you to know what you know. College students are probably more over-worked than you are. If I were the instructor of this class, I would probably caution my students on submitting their work to lists like Bugtraq, and if they chose to, to be well aware of the flames that may result. Arguing over full disclosure or whether something is remotely exploitable or not misses the point of the class, near as I can tell.

Happy Holidays to all.
Robert Manning


> -----Original Message-----
> From: D. J. Bernstein [mailto:djb@...yp.to]
> Sent: Friday, December 17, 2004 8:25 PM
> To: bugtraq@...urityfocus.com
> Subject: Re: DJB's students release 44 *nix software vulnerability
> advisories
> 
> 
> Shu T. Messenger writes:
> > In each case, Professor Bernstein notified the author of the
> > vulnerable package on Dec 15 via e-mail. This mail hit 
> Bugtraq on the
> > 16th, giving one day for vendors to provide fixes.
> 
> Actually, I sent all of these notifications to the public 
> securesoftware
> mailing list (http://securesoftware.list.cr.yp.to) at the 
> same time that
> I sent them to the authors. It certainly wasn't my intention 
> to give the
> authors an extra day of self-delusion.
> 
> > Is the class on responsible disclosure next semester perhaps?
> 
> If you had bothered to look at the slides on the course web page, you
> would have seen a half day dedicated to the topic, plus some 
> examples on
> subsequent days of how people react to full disclosure when they're
> trying to protect their shoddy security practices.
> 
> The reason that the 16 students sent their 91 reports to me 
> privately is
> so that they wouldn't have to deal with people like you. It 
> was entirely
> my decision to send out these 44 public notices.
> 
> ---D. J. Bernstein, Associate Professor, Department of Mathematics,
> Statistics, and Computer Science, University of Illinois at Chicago
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ