lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <4417F22C3B0B6F41BF7D2DFD@utd65257.utdallas.edu>
Date: Thu, 17 Jul 2008 09:58:03 -0500
From: Paul Schmehl <pschmehl_lists@...rr.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: [Dailydave] Linux's
 unofficial	security-through-coverup policy

--On Thursday, July 17, 2008 10:35:21 -0400 Elazar Broad <elazar@...hmail.com> 
wrote:

> I could understand why Linus is against classifying a commit
> comment in his branch or in a any unstable branch for that
> matter...then again, the repositories are open, and anyone with
> half a brain might be able to discern what has security
> ramifications or not.

Apparently this isn't as true as you'd like to think.  If it were, the folks 
who write the code would have caught it to begin with.  After all, anyone who 
can write kernel code that works has *at least* half a brain, wouldn't you say?

The truth is, there is a very small pool of people smart enough, educated 
enough and familiar with the code in question enough to actually spot security 
problems in the code.  Those folks are worth their weight in gold, but in many 
cases they do it for the pure pleasure of finding the bugs.  They also only 
focus on those things that interest them, so the number of people actually 
looking for security issues in the LInux kernel code is infinitesimally small 
compared to the number of people who use the compiled product.

Claiming that "anyone with half a brain" can spot security problems in code 
belittles both those who actually can and all those who cannot but want to be 
informed about them so they can protect themselves.

-- 
Paul Schmehl
As if it wasn't already obvious,
my opinions are my own and not
those of my employer.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ