Bugtraq mailing list archives
Re: DJB's students release 44 *nix software vulnerability advisories
From: cees-bart <ceesb () cs ru nl>
Date: Fri, 17 Dec 2004 13:16:44 +0100
Thor Larholm wrote:
Most of the 44 posted "security" advisories are about software bugs with a very low security risk. See for example the posted bug on NASM (http://tigger.uic.edu/~jlongs2/holes/nasm.txt): what's the chance of an evil asm file being sent to an ignorant user that calls nasm to compile this file? And this nasm bug is then called a "remotely exploitable security hole". If I mail out a shell script that does "rm -rf $HOME/*", this can also be considered a remotely exploitable security hole.This small group of students highlights how individuals outside the security industry without special security prerequisites can still manage to outperform the average Bugtraq poster in sheer quantity of discoveries. This adequately validates the typical estimate of between 5 and 15 errors in every thousand lines of code.
A proper (wide-scale) remotely exploitable security hole is one than can be exploited without any ignorant user on the other side: for example, the bug Windows Messenger service which was enabled by default, making every user vulnerable, regardless of their stupidity.
With a class of 25 students discovering 44 vulnerabilities most students now expect to fail the course (http://it.slashdot.org/article.pl?sid=04/12/15/2113202).
I think punishing students that have actually found security holes does not make the world a better place ;)
-- cees-bart.
Current thread:
- DJB's students release 44 *nix software vulnerability advisories Thor Larholm (Dec 16)
- Re: DJB's students release 44 *nix software vulnerability advisories Crispin Cowan (Dec 17)
- Re: DJB's students release 44 *nix software vulnerability advisories cees-bart (Dec 17)
- Re: DJB's students release 44 *nix software vulnerability advisories Marcin Owsiany (Dec 20)
- Re: DJB's students release 44 *nix software vulnerability advisories security curmudgeon (Dec 17)
- Re: DJB's students release 44 *nix software vulnerability advisories Julian T J Midgley (Dec 20)
- <Possible follow-ups>
- Re: DJB's students release 44 *nix software vulnerability advisories D. J. Bernstein (Dec 19)
- Re: DJB's students release 44 *nix software vulnerability advisories Artem Chuprina (Dec 21)
- Re: DJB's students release 44 *nix software vulnerability advisories Stephen Samuel (Dec 21)
- Re: DJB's students release 44 *nix software vulnerability advisories D. J. Bernstein (Dec 22)
- Re: DJB's students release 44 *nix software vulnerability advisories David Eisner (Dec 22)
- Re: DJB's students release 44 *nix software vulnerability advisories Crispin Cowan (Dec 22)
- Re: DJB's students release 44 *nix software vulnerability advisories D. J. Bernstein (Dec 23)