Dailydave mailing list archives
Re: [Full-disclosure] Linux's unofficial security-through-coverup policy
From: nnp <version5 () gmail com>
Date: Sat, 19 Jul 2008 12:00:43 +0100
On Fri, Jul 18, 2008 at 4:49 PM, Thomas Ptacek <tqbf () matasano com> wrote:
And Linus's point is that many of those regressions matter *more* than most security bugs, because they can totally hose your system too - corrupt filesystems, cause system hangs and lockups, poor performance, and who knows what else.And this is where Linus lapses into crazy talk, because data corruption bugs are far less important than vulnerabilities that can compromise my mom's credit card numbers and bank accounts.
Thats a fairly stupid thing to say and is the kind of black and white point of view that gets security people branded as narrow minded 'masturbating monkies'. Use your imagination for a second and I'm sure you'll be able to think of a number of situations where a security bug is far less serious than one that results in data corruption.
Bugs don't have adversaries. Vulnerabilities do.
Probably because security researchers haven't come up with a way to make money off them yet.
But I feel Linus' pain. -- --- Thomas H. Ptacek // matasano security read us on the web: http://www.matasano.com/log _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
-- http://www.smashthestack.org http://www.unprotectedhex.com _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Linux's unofficial security-through-coverup policy Brad Spengler (Jul 16)
- Re: [Full-disclosure] Linux's unofficial security-through-coverup policy M. Shirk (Jul 16)
- Message not available
- Re: [Full-disclosure] Linux's unofficial security-through-coverup policy Brad Spengler (Jul 16)
- Message not available
- Re: [Full-disclosure] Linux's unofficial security-through-coverup policy Brad Spengler (Jul 16)
- Re: [Full-disclosure] Linux's unofficial security-through-coverup policy Dave Aitel (Jul 17)
- Re: [Full-disclosure] Linux's unofficial security-through-coverup policy Thomas Ptacek (Jul 17)
- Re: [Full-disclosure] Linux's unofficial security-through-coverup policy Valdis . Kletnieks (Jul 18)
- Re: [Full-disclosure] Linux's unofficial security-through-coverup policy Thomas Ptacek (Jul 19)
- Re: [Full-disclosure] Linux's unofficial security-through-coverup policy nnp (Jul 19)
- Re: [Full-disclosure] Linux's unofficial security-through-coverup policy pageexec (Jul 19)
- Re: [Full-disclosure] Linux's unofficial security-through-coverup policy Brad Spengler (Jul 16)
- Re: [Dailydave] [Full-disclosure] Linux's unofficial security-through-coverup policy Steve Grubb (Jul 17)