Bugtraq mailing list archives
Re: DJB's students release 44 *nix software vulnerability advisories
From: Crispin Cowan <crispin () immunix com>
Date: Wed, 22 Dec 2004 10:26:41 -0800
D. J. Bernstein wrote:
Stephen Samuel writes:I'm asking for a reasonable ammount of time for a responsible programmer to ensure that his/her user community is properly served and protected from the effects of the bugs.Same delusion: you think that users are protected from security holes if the security holes are patched before they're announced. Sorry, but that's not nearly fast enough. Protecting the users means making the programs secure before they're deployed in the first place.
In theory, theory is just like practice. But in practice, it isn't.In theory, I agree with DJB: an infinitely-funded adversary can hire a gang of code analysts to scour a code base looking for vulnerabilities and *not* publish them, effectively manufacturing private exploits in whatever quantity they are willing to pay for. It is conjectured that certain foreign governments are actually doing this.
But in practice, there is a *substantial* amount of epidemiological data that shows that wide-spread attacks against software follow shortly after the disclosure (responsible or otherwise) of a vulnerability. See Brown, Arbaugh et al A Trend Analysis of Exploitations <http://www.cs.umd.edu/%7Ewaa/pubs/CS-TR-4200.pdf> for great data on when attacks happen with respect to disclosure. Furthermore, if you force a fire drill in releasing the security patch, you compromise the quality of the patch. See my work on patch quality "Timing the Application of Security Patches for Optimal Uptime", Beattie et al Postscript <http://immunix.com/%7Ecrispin/time-to-patch-usenix-lisa02.ps.gz>. or ugly PDF <http://immunix.com/%7Ecrispin/time-to-patch-usenix-lisa02.pdf>.
So while I am sympathetic to DJB's passion for correct software and to hell with the tender feelings of developers who ship buggy code, in practice this kind of 0-day notice of vulnerabilities *mostly* just harms end-users.
Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com
Current thread:
- Re: DJB's students release 44 *nix software vulnerability advisories, (continued)
- Re: DJB's students release 44 *nix software vulnerability advisories Crispin Cowan (Dec 17)
- Re: DJB's students release 44 *nix software vulnerability advisories cees-bart (Dec 17)
- Re: DJB's students release 44 *nix software vulnerability advisories Marcin Owsiany (Dec 20)
- Re: DJB's students release 44 *nix software vulnerability advisories security curmudgeon (Dec 17)
- Re: DJB's students release 44 *nix software vulnerability advisories Julian T J Midgley (Dec 20)
- Re: DJB's students release 44 *nix software vulnerability advisories D. J. Bernstein (Dec 19)
- Re: DJB's students release 44 *nix software vulnerability advisories Artem Chuprina (Dec 21)
- Re: DJB's students release 44 *nix software vulnerability advisories Stephen Samuel (Dec 21)
- Re: DJB's students release 44 *nix software vulnerability advisories D. J. Bernstein (Dec 22)
- Re: DJB's students release 44 *nix software vulnerability advisories David Eisner (Dec 22)
- Re: DJB's students release 44 *nix software vulnerability advisories Crispin Cowan (Dec 22)
- Re: DJB's students release 44 *nix software vulnerability advisories D. J. Bernstein (Dec 23)
- Re: DJB's students release 44 *nix software vulnerability advisories Crispin Cowan (Dec 24)
- Message not available
- Re: DJB's students release 44 *nix software vulnerability advisories Crispin Cowan (Dec 23)
- Re: DJB's students release 44 *nix software vulnerability advisories milw0rm Inc. (Dec 21)
- Re: DJB's students release 44 *nix software vulnerability advisories Antoine Martin (Dec 21)
- Re: DJB's students release 44 *nix software vulnerability advisories Chris Paget (Dec 22)
- Re: DJB's students release 44 *nix software vulnerability advisories Jack Lloyd (Dec 22)