Re: The Week of Oracle Database Bugs

[dan () geer org]

Joanna Rutkowska writes:
 | > 
 | > I will assume, then, that you agree the conservative
 | > position for the researcher to take is that any vuln
 | > s/he discovers is always a re-discovery, that no one
 | > here ever discovers anything truly new?
 | > 
 | 
 | Please note, Dan, that Joel used the word 'often', while you said
 | 'always'. Also, it's not the problem of who discovers the bug first, but
 | rather that it's very unlikely that a particular bug (or a security
 | problem in general) will never be discovered (abused) by anybody else...
 | It's a big planet (at least very crowded) ;)


We're in agreement.  The nuance I was trying to get
across is this: If and when I disover a vulnerability, 
it is prudent on my part (as a researcher) to assume
that someone else has already discovered that vuln.
Perhaps the most conservative position is that if I
discover a vuln, I should not only assume that it has
been previously discovered by persons unknown but that
as well as being already discovered it is already in
use.  If I take such a conservative position, then it
might be also a conservative position that the first
activity should be to mitigate the attack vector the
vuln represents and, only after that is done, turn
one's attention to removing the vuln itself.

This may, of course, be much like debating how many
angels can fit on the head of a pin.

--dan

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave