Re: Security people are leaches. [sic]

[RB <aoz.syn () gmail com>]

On Fri, Aug 7, 2009 at 11:41, Aaron<apconole () yahoo com> wrote:
> The 'shades of grey' only exist to security people. To no one else is it
> important
> that a bug disclose information, allow invalid root access, or escalate
> privileges.

Rather, 'shades of grey' only exist to critical thinkers who actually
understand the problems.  If you really think privilege escalation and
information disclosure are esoteric problems that should be relegated
only to "security people", I know a few thousand non-security system
administrators that would like you to stop whatever you're doing and
go flip burgers.  Pretending that there is no such thing as a security
bug is a childish pretense and is the equivalent of closing your eyes
and assuming nobody's there because you can't see them.

> So the point still stands, why burden the average kernel developer/debugger
> to do
> security research work for the security researcher?

Because, although rather vocal, researchers compose a numerically
insignificant subset of the security "industry".  The vast majority
are sysadmins, engineers, and programmers that need to prioritize
fixes based not only on functionality but on exposure as well.  The
expectation is not for kernel developers to perform ad-nauseum
security analysis of bugs, but for them to exercise due diligence and
not suppress security information.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave