Bugtraq mailing list archives
Re: DJB's students release 44 *nix software vulnerability advisories
From: "D. J. Bernstein" <djb () cr yp to>
Date: 23 Dec 2004 06:39:55 -0000
http://www.cs.umd.edu/~waa/pubs/Windows_of_Vulnerability.pdf summarizes reports to CERT of intrusions through three particular security holes. Most intrusions occurred months or years after the holes were disclosed to the public. (Let's assume that reports to CERT are noticeably correlated with actual damage.) Crispin starts from these three examples of intrusions occurring _after_ full disclosure, and---applying the principle ``post hoc, ergo propter hoc''---leaps to the astounding conclusion that the intrusions were _caused_ by full disclosure, i.e., that avoiding disclosure would have prevented the intrusions. Crispin's conclusion is obviously incorrect. We've all seen reports of extensive damage caused by attackers exploiting security holes that _weren't_ publicly known before the attacks. Clearly the attackers are capable of reading software and finding security holes for themselves. This isn't rocket science. There is, by the way, a more subtle problem with the argument against full disclosure: the argument focuses entirely on short-term effects and ignores long-term effects. But the basic problem with the argument is that it's out of whack with reality. If you think that hiding security information keeps us safe, you're deluding yourself. ---D. J. Bernstein, Associate Professor, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago
Current thread:
- Re: DJB's students release 44 *nix software vulnerability advisories, (continued)
- Re: DJB's students release 44 *nix software vulnerability advisories cees-bart (Dec 17)
- Re: DJB's students release 44 *nix software vulnerability advisories Marcin Owsiany (Dec 20)
- Re: DJB's students release 44 *nix software vulnerability advisories security curmudgeon (Dec 17)
- Re: DJB's students release 44 *nix software vulnerability advisories Julian T J Midgley (Dec 20)
- Re: DJB's students release 44 *nix software vulnerability advisories D. J. Bernstein (Dec 19)
- Re: DJB's students release 44 *nix software vulnerability advisories Artem Chuprina (Dec 21)
- Re: DJB's students release 44 *nix software vulnerability advisories Stephen Samuel (Dec 21)
- Re: DJB's students release 44 *nix software vulnerability advisories D. J. Bernstein (Dec 22)
- Re: DJB's students release 44 *nix software vulnerability advisories David Eisner (Dec 22)
- Re: DJB's students release 44 *nix software vulnerability advisories Crispin Cowan (Dec 22)
- Re: DJB's students release 44 *nix software vulnerability advisories D. J. Bernstein (Dec 23)
- Re: DJB's students release 44 *nix software vulnerability advisories Crispin Cowan (Dec 24)
- Message not available
- Re: DJB's students release 44 *nix software vulnerability advisories Crispin Cowan (Dec 23)
- Re: DJB's students release 44 *nix software vulnerability advisories cees-bart (Dec 17)
- Re: DJB's students release 44 *nix software vulnerability advisories milw0rm Inc. (Dec 21)
- Re: DJB's students release 44 *nix software vulnerability advisories Antoine Martin (Dec 21)
- Re: DJB's students release 44 *nix software vulnerability advisories Chris Paget (Dec 22)
- Re: DJB's students release 44 *nix software vulnerability advisories Jack Lloyd (Dec 22)