Secure Coding mailing list archives
On exploits, hubris, and software security
From: secureCoding2dave at davearonson.com (SC-L Subscriber Dave Aronson)
Date: Fri, 03 Nov 2006 17:30:18 +0000
Gary McGraw [mailto:gem at cigital.com] writes:
The main thing I wonder is, what do you think? When you have a hot demonstration of an exploit, how do you responsibly release it?
This isn't so much about that, in the usual sense. This was, as you say, a well-known vulnerability, one screamingly obvious to anybody who bothered to think about how to get around the No-Fly List. Bruce Schneier wrote about it on his blog long ago, as did many others.
What role do such demonstrations play in moving software security forward?
It could help dramatically. Not so much because of the demo itself, which will of course be ignored by the Powers that Be, but the publicity around it. That might possibly eventually make enough of a dent in the public consciousness, to wake them up to the fact that what the PTBs have been doing is almost all just security THEATER. However, it depends how much the media gives background. Unfortunately, even a brief blurb like "this flaw in the No-Fly List concept has been well known for several years" is unlikely to be aired or printed, since it takes valuable time/space away from the latest scandals of skanky "socialites" and other such much more important news. Without this little bit of trivia, the sheeple will just ass-u-me that the demo-giver was, as the PTBs will insinuate, a malefactor in league with $ENEMY[$YEAR], and deserves to be shipped off to the Git-lag. -Dave -- Dave Aronson "Specialization is for insects." -Heinlein Work: http://www.davearonson.com/ Play: http://www.davearonson.net/
Current thread:
- On exploits, hubris, and software security Gary McGraw (Nov 03)
- On exploits, hubris, and software security Blue Boar (Nov 03)
- <Possible follow-ups>
- On exploits, hubris, and software security SC-L Subscriber Dave Aronson (Nov 03)
- On exploits, hubris, and software security Gary McGraw (Nov 03)
- On exploits, hubris, and software security Blue Boar (Nov 03)