Bugtraq mailing list archives
Re: DJB's students release 44 *nix software vulnerability advisories
From: "D. J. Bernstein" <djb () cr yp to>
Date: 22 Dec 2004 07:05:12 -0000
Stephen Samuel writes:
crackers will have up to 8 hours to code and use your bug
It's not _my_ bug. It's also not my student's bug. It's the _program's_ bug. Sorry to have to break the news to you, but the attacker has had a _year_ to exploit the bug if the program was released a year ago. You're under the delusion that the bug's existence and exploitability were created by the messenger---the bug-report publisher---rather than by the original programmer. I realize that this is a common delusion, one of the big excuses for inadequate security efforts; one of the virtues of full disclosure is that it forcibly overrides the delusion.
I'm asking for a reasonable ammount of time for a responsible programmer to ensure that his/her user community is properly served and protected from the effects of the bugs.
Same delusion: you think that users are protected from security holes if the security holes are patched before they're announced. Sorry, but that's not nearly fast enough. Protecting the users means making the programs secure before they're deployed in the first place. ---D. J. Bernstein, Associate Professor, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago
Current thread:
- DJB's students release 44 *nix software vulnerability advisories Thor Larholm (Dec 16)
- Re: DJB's students release 44 *nix software vulnerability advisories Crispin Cowan (Dec 17)
- Re: DJB's students release 44 *nix software vulnerability advisories cees-bart (Dec 17)
- Re: DJB's students release 44 *nix software vulnerability advisories Marcin Owsiany (Dec 20)
- Re: DJB's students release 44 *nix software vulnerability advisories security curmudgeon (Dec 17)
- Re: DJB's students release 44 *nix software vulnerability advisories Julian T J Midgley (Dec 20)
- <Possible follow-ups>
- Re: DJB's students release 44 *nix software vulnerability advisories D. J. Bernstein (Dec 19)
- Re: DJB's students release 44 *nix software vulnerability advisories Artem Chuprina (Dec 21)
- Re: DJB's students release 44 *nix software vulnerability advisories Stephen Samuel (Dec 21)
- Re: DJB's students release 44 *nix software vulnerability advisories D. J. Bernstein (Dec 22)
- Re: DJB's students release 44 *nix software vulnerability advisories David Eisner (Dec 22)
- Re: DJB's students release 44 *nix software vulnerability advisories Crispin Cowan (Dec 22)
- Re: DJB's students release 44 *nix software vulnerability advisories D. J. Bernstein (Dec 23)
- Re: DJB's students release 44 *nix software vulnerability advisories Crispin Cowan (Dec 24)
- Message not available
- Re: DJB's students release 44 *nix software vulnerability advisories Crispin Cowan (Dec 23)
- Re: DJB's students release 44 *nix software vulnerability advisories milw0rm Inc. (Dec 21)
- Re: DJB's students release 44 *nix software vulnerability advisories Antoine Martin (Dec 21)
- Re: DJB's students release 44 *nix software vulnerability advisories Chris Paget (Dec 22)
- Re: DJB's students release 44 *nix software vulnerability advisories Jack Lloyd (Dec 22)