funsec mailing list archives
Re: Security research vuln pimps
From: Rich Kulawiec <rsk () gsp org>
Date: Mon, 26 Apr 2010 16:11:57 -0400
On Mon, Apr 26, 2010 at 09:18:04AM -0700, Hubbard, Dan quoted:
If you tell the world about a flaw in operational software/hardware, you increase the pool of threat agents that know about it, increase the likelihood they will attack, and increase the chance they will be successful. All of this happens when you make the information known.
This is a whiney argument for purported security-by-obscurity, and it completely ignores the possibility of independent discovery. If person A has studied piece of software X looking for vulnerabilities, then persons B, C, D, etc. have done so as well...or will soon enough. It is only a matter of who will be successful, when they will be successful, and what they will choose to do when they succeed. There is no point in pretending that B, C, D, et.al. don't exist. There is even less in presuming that they're not as smart or diligent or clueful as A. What really increases the likelihood of attack is bad engineering, especially chronically bad engineering. Because after vulnerability #673 is found in piece of software X, it's a reasonable guess to presume that #674 is there waiting to be found. What increases the likelihood of *successful* attack is using any of the dumb ideas (e.g., default permit, enumerating badness) that we should all be avoiding like the plague. And what exacerbates both are futile attempts to pretend that all of this information can and should be kept secret. It won't. It can't. Yes, I'm quite sure it's inconvenient for some people that the toothpaste can't be stuffed back in the tube. (It's been inconvenient for me on occasion, too.) But petulantly demanding that everyone else do it is a non-starter. ---Rsk _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Security research vuln pimps Hubbard, Dan (Apr 26)
- Re: Security research vuln pimps der Mouse (Apr 26)
- Re: Security research vuln pimps Dave Paris (Apr 26)
- Re: Security research vuln pimps Rich Kulawiec (Apr 26)
- Re: Security research vuln pimps der Mouse (Apr 26)
- Re: Security research vuln pimps Michal Zalewski (Apr 28)
- Re: Security research vuln pimps Jeffrey Walton (Apr 26)
- Re: Security research vuln pimps Peter Kosinar (Apr 26)
- Re: Security research vuln pimps Hubbard, Dan (Apr 26)
- Re: Security research vuln pimps Peter Kosinar (Apr 26)
- Re: Security research vuln pimps der Mouse (Apr 26)