[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.SGI.4.44.0208190958510.153330-100000@hexeris>
From: aliver at xexil.com (aliver@...il.com)
Subject: Shiver me timbers.
On Mon, 19 Aug 2002, Timothy J.Miller wrote:
> > Perhaps. However, the analogy may not be apt.
> Actually, it's more apt than you think.
No, actually it's not. If you'll notice, in your post here you don't even
address _your_ analogy at all, but instead you use mine. Your analogy
involved car owners having their car burst into flames at a stop light.
Notice it doesn't involve auto mechanics/engineers at all.
> Auto mechanics find engineering and manufacturing defects in automobiles
> all the time. They also, on the whole, report them to the auto
> manufacturer *as well as* their customers, even though it could be
> argued that it is in their best interest to keep it to themselves (thus
> insuring repeat business).
First of all we are now discussing _my_ analogy, not yours. Don't attempt
to make up for your initial dicto simpliciter argument by borrowing
analogy.
Now, let's address your attempted rebut to my analogy. I assert
that the point you make here does nothing to put your analogy in the
context of security. Primarily computer security involves different groups
of people doing two things:
1. Trying to find bugs related to _security_ which are potentially
exploitable. Their motivations may be different (white or black hat). Your
analogy of an "idling car bursting into flame at a stop light" doesn't do
much to represent this. My analogy involves a mechanic who finds that a
gas tank can be easily rigged to explode. I think it's easy to see a
difference here.
2. Exploiting bugs. Your analogy also clearly fails here. What third party
exploited the car to make it burst into flames? However, in my analogy I
attempt to adjust for this by implying that the gas tank can be
potentially exploited (ie.. "easily rigged to explode") by a third party
(ie.. things don't "rig" themselves).
Now with that said, let's move on, and discuss how you have
misapplied my analogy. First of all, to put the analogy in the context of
security it must involve some similar set of circumstances. A mechanic who
finds that the radio won't play after replacing the ignition coil due to a
manufacturing defect doesn't put into play the two aforementioned factors,
thus not all car defects mirror the proper set of circumstances to make an
applicable analogy. Hence saying "most mechanics report defects" is
weightless in context. Plenty of software bugs get reported back to
vendors, too. However, they usually involve things that can easily be
found by a user (ie.. "your software doesn't work in 32 bit color"). You
don't see people on security lists arguing over reporting these types of
bugs. The critical difference is that _security_ bugs involve a group of
folks that are working to find security related bugs and use them them
against the users of the the software.
However, if we consider a problem that involves someone being able
to easily perpetrate a malicious action against the car owner due to a
manufacturer defect, then it's apt. See how that works? Now, trucking
right along, if someone decides to make a hobby or a career out of finding
these specific types of defects, they don't really have any obligation to
report them for free to anyone. They did the work to find the bug, they
_will_ decide what's morally right to do afterwards regardless of how many
"standards" documents are written by people who think they have superior
ethics. If that means they want to withhold the information for what they
consider to be a better purpose, then it's not only their choice, but they
also might be morally justified to do so. It all depends on the
circumstances.
aliver
Powered by blists - more mailing lists