Dailydave mailing list archives
Re: Security people are leaches. [sic]
From: dave <dave () immunityinc com>
Date: Sat, 08 Aug 2009 16:19:27 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Normally I would, of course, kill this thread, but there's lots of the Linux Kernel/Vendor security community subscribed to the list, and I think it's important for them to hear the story. Right now, Linux kernel security is 5 years behind Windows. There's just no leadership on the issue - and it doesn't have to come from Linus Torvalds or the development leadership. Partially, Linus is right - there really is no way to have developers truly know the security ramifications of every change they commit or every bug they fix. But on the other hand, the GRSecurity team and others have shown that for very little additional investment, one small team of good people (throw a half million USD a year at it and be amazed at the results!), the Linux community could be vastly benefited. Modern software development DOES have to incorporate a security model, and Linux is no exception if it wants to be successful. It's always hard for security vendors to learn the lesson from Andrew Cushman about how to handle security researchers. Quite literally, no matter how much security researchers piss you off, you have to embrace and extend their efforts and their community. It's the only way. Every other way, from Denial, to Legal Threats, to Massive PR Effort, just results in continued failure. If a Linux kernel developer suspects their patch has security relevance, and deliberately hides that in their commit message, they are in the Denial phase. The fact that people can be mean when they point that out doesn't change the real failure. In this case, the best move for Linux as a whole is to develop a security center of excellence, possibly hosted somewhere where multiple vendors can contribute to it, and work together to help with Linux's (kernel) security problems. They can start by going through new kernels and pointing out which changes may be security relevant, while training up key Linux developers on modern security techniques. Otherwise it's just not a fair fight. I do so love a fair fight. :> - -dave RB wrote:
On Fri, Aug 7, 2009 at 11:41, Aaron<apconole () yahoo com> wrote:The 'shades of grey' only exist to security people. To no one else is it important that a bug disclose information, allow invalid root access, or escalate privileges.Rather, 'shades of grey' only exist to critical thinkers who actually understand the problems. If you really think privilege escalation and information disclosure are esoteric problems that should be relegated only to "security people", I know a few thousand non-security system administrators that would like you to stop whatever you're doing and go flip burgers. Pretending that there is no such thing as a security bug is a childish pretense and is the equivalent of closing your eyes and assuming nobody's there because you can't see them.So the point still stands, why burden the average kernel developer/debugger to do security research work for the security researcher?Because, although rather vocal, researchers compose a numerically insignificant subset of the security "industry". The vast majority are sysadmins, engineers, and programmers that need to prioritize fixes based not only on functionality but on exposure as well. The expectation is not for kernel developers to perform ad-nauseum security analysis of bugs, but for them to exercise due diligence and not suppress security information. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkp93c8ACgkQtehAhL0ghergKACfYBZs1tJR+FKhk8Obw00fPGqB XzgAn04/qqbyl23yTBYGLlEc41r5mR/E =TPTv -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Security people are leaches. [sic] pageexec (Jul 27)
- Re: Security people are leaches. [sic] yersinia (Jul 28)
- Re: Security people are leaches. [sic] Peter Busser (Aug 05)
- Re: Security people are leaches. [sic] Aaron (Jul 28)
- Re: Security people are leaches. [sic] Peter Busser (Aug 05)
- Re: Security people are leaches. [sic] Adrien Kunysz (Aug 06)
- Re: Security people are leaches. [sic] pageexec (Aug 07)
- Re: Security people are leaches. [sic] Aaron (Aug 07)
- Re: Security people are leaches. [sic] RB (Aug 16)
- Re: Security people are leaches. [sic] dave (Aug 08)
- Re: Security people are leaches. [sic] Shane Macaulay (Aug 08)
- Re: Security people are leaches. [sic] Peter Busser (Aug 05)
- Re: Security people are leaches. [sic] yersinia (Jul 28)
- <Possible follow-ups>
- Re: Security people are leaches. [sic] Eugene Teo (Aug 10)