oss-sec mailing list archives
Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code
From: mancha <mancha1 () zoho com>
Date: Tue, 7 Oct 2014 09:05:40 +0000
On Tue, Oct 07, 2014 at 11:35:41AM +0400, Solar Designer wrote: I'll reply to the more salient points.
I am not saying I arrived at the above lesson. Notice the word "arguably". No change to distros list membership is being proposed.
OK. given these two comments:
In this case, it was because the right ones (as it turned out) of the "many eyeballs" - Tavis and Michal - were not party to the "selective disclosure"...Arguably, this suggests that we should expand the distros list membership with security researchers who are capable, willing, and have (paid?) time to review upcoming security patches and the software being patched for possible other flaws closely related to those being patched.
and
Would immediate full disclosure of Shellshock have helped? I doubt it.
I assumed you leaned towards steps like expanding private lists versus more rapid engagement of the broader community. As you say, you use "arguably" so it would help if you'd clarify your position more explicitely.
Unfortunately, those same people were also less productive than usual at their other duties (including security-related) during this time period.
That's a fact of life: resources are constrained. The question isn't whether there are 24 hours in the day but whether the overall good was being maximized in an embargo framework or not.
It sounds like it's obvious to you that we've seen a case of "over-use" of embargo and that "few" people "consider the negative effects".
In this case was embargo under-used? over-used? just right? I don't know but one way to arrive at an answer is to consider things empirically. How did the process evolve in practice? Did things improve (by various metrics) post disclosure, or not, etc.
Also, you're quoting only part of the context. More context for Chet: http://www.openwall.com/lists/oss-security/2014/10/07/7
I added Chet because I was thanking him for his efforts and because he has a unique perspective: how was working with the community and how did things change for him, as upstream, pre and post disclosure. Thanks for adding the link to the full message but I wasn't intentionally trying to filter context. --mancha
Attachment:
_bin
Description:
Current thread:
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code, (continued)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code David A. Wheeler (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 05)
- RE: Shellshocker - Repository of "Shellshock" Proof of Concept Code Sona Sarmadi (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Kurt Seifried (Oct 05)
- RE: Shellshocker - Repository of "Shellshock" Proof of Concept Code Sona Sarmadi (Oct 06)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 06)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code mancha (Oct 06)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 07)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code mancha (Oct 07)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 07)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Chet Ramey (Oct 07)
- Re: Aftershock (was: Shellshocker - Repository of "Shellshock" Proof of Concept Code) mancha (Oct 08)
- Re: Aftershock Chet Ramey (Oct 09)
- RE: Shellshocker - Repository of "Shellshock" Proof of Concept Code Sona Sarmadi (Oct 07)