| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: aliver at xexil.com (aliver@...il.com) Subject: Shiver me timbers. On Mon, 19 Aug 2002, Timothy J.Miller wrote: > > Perhaps. However, the analogy may not be apt. > Actually, it's more apt than you think. No, actually it's not. If you'll notice, in your post here you don't even address _your_ analogy at all, but instead you use mine. Your analogy involved car owners having their car burst into flames at a stop light. Notice it doesn't involve auto mechanics/engineers at all. > Auto mechanics find engineering and manufacturing defects in automobiles > all the time. They also, on the whole, report them to the auto > manufacturer *as well as* their customers, even though it could be > argued that it is in their best interest to keep it to themselves (thus > insuring repeat business). First of all we are now discussing _my_ analogy, not yours. Don't attempt to make up for your initial dicto simpliciter argument by borrowing analogy. Now, let's address your attempted rebut to my analogy. I assert that the point you make here does nothing to put your analogy in the context of security. Primarily computer security involves different groups of people doing two things: 1. Trying to find bugs related to _security_ which are potentially exploitable. Their motivations may be different (white or black hat). Your analogy of an "idling car bursting into flame at a stop light" doesn't do much to represent this. My analogy involves a mechanic who finds that a gas tank can be easily rigged to explode. I think it's easy to see a difference here. 2. Exploiting bugs. Your analogy also clearly fails here. What third party exploited the car to make it burst into flames? However, in my analogy I attempt to adjust for this by implying that the gas tank can be potentially exploited (ie.. "easily rigged to explode") by a third party (ie.. things don't "rig" themselves). Now with that said, let's move on, and discuss how you have misapplied my analogy. First of all, to put the analogy in the context of security it must involve some similar set of circumstances. A mechanic who finds that the radio won't play after replacing the ignition coil due to a manufacturing defect doesn't put into play the two aforementioned factors, thus not all car defects mirror the proper set of circumstances to make an applicable analogy. Hence saying "most mechanics report defects" is weightless in context. Plenty of software bugs get reported back to vendors, too. However, they usually involve things that can easily be found by a user (ie.. "your software doesn't work in 32 bit color"). You don't see people on security lists arguing over reporting these types of bugs. The critical difference is that _security_ bugs involve a group of folks that are working to find security related bugs and use them them against the users of the the software. However, if we consider a problem that involves someone being able to easily perpetrate a malicious action against the car owner due to a manufacturer defect, then it's apt. See how that works? Now, trucking right along, if someone decides to make a hobby or a career out of finding these specific types of defects, they don't really have any obligation to report them for free to anyone. They did the work to find the bug, they _will_ decide what's morally right to do afterwards regardless of how many "standards" documents are written by people who think they have superior ethics. If that means they want to withhold the information for what they consider to be a better purpose, then it's not only their choice, but they also might be morally justified to do so. It all depends on the circumstances. aliver
Powered by blists - more mailing lists