oss-sec mailing list archives
Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code
From: mancha <mancha1 () zoho com>
Date: Tue, 7 Oct 2014 06:46:22 +0000
On Tue, Oct 07, 2014 at 09:51:50AM +0400, Solar Designer wrote:
Shellshock is actually an example of "selective disclosure" (as Ted Unangst calls it) arguably not working well enough to be worthwhile. In this case, it was because the right ones (as it turned out) of the "many eyeballs" - Tavis and Michal - were not party to the "selective disclosure". Florian was, but I am guessing that without finding more parser bugs convincing Chet and distros to remove exposure of the parser so urgently would have been difficult. Arguably, this suggests that we should expand the distros list membership with security researchers who are capable, willing, and have (paid?) time to review upcoming security patches and the software being patched for possible other flaws closely related to those being patched.
I've been thinking about this for the past week and agree with your problem identification. However, the lesson I rescue is diametrically opposed to the one you arrived at. An effect few mention is how dramatically things changed post-embargo. Sure, Chet's been burning the midnight oil (many thanks, Chet; you're owed many beers) but on some level, or maybe only after the dust settles, he'll be very appreciative of the way the community rallied in a highly dynamic way to ultimately help make Bash a better product. From the identification of key breach points (thanks Stephane, Tavis, and Michal) to the development of critical hardening (thanks Florian), the level of engagement has been, and continues to be, extraordinary. I don't know how long the initial report was embargo'd but I'm pretty sure the process became infinitely more productive after the veil of semi-secrecy was lifted (be it in metrics like LoC/hour or reports/day). It's amazing how productive people can be when incentives are properly aligned. Your solution is to add Tavis and Michal to distros@. What about the next flaw when the two researchers who turn out to be key are Bob and Fred? Add them next? You'll be playing catch-up. I think the overarching lesson here is there are costs to the embargo paradigm some have grown to love and over-use. Few consider the negative effects that removing one aspect of "open" from open source can have and how energetic the process can become once it's reintroduced. --mancha
Attachment:
_bin
Description:
Current thread:
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code, (continued)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code David A. Wheeler (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Rob Fuller (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code David A. Wheeler (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 05)
- RE: Shellshocker - Repository of "Shellshock" Proof of Concept Code Sona Sarmadi (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Kurt Seifried (Oct 05)
- RE: Shellshocker - Repository of "Shellshock" Proof of Concept Code Sona Sarmadi (Oct 06)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 06)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code mancha (Oct 06)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 07)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code mancha (Oct 07)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 07)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Chet Ramey (Oct 07)
- Re: Aftershock (was: Shellshocker - Repository of "Shellshock" Proof of Concept Code) mancha (Oct 08)
- Re: Aftershock Chet Ramey (Oct 09)
- RE: Shellshocker - Repository of "Shellshock" Proof of Concept Code Sona Sarmadi (Oct 07)