Date: Tue, 7 Oct 2014 06:46:22 +0000 From: mancha <mancha1@...o.com> To: oss-security@...ts.openwall.com Cc: chet.ramey@...e.edu Subject: Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code On Tue, Oct 07, 2014 at 09:51:50AM +0400, Solar Designer wrote: > Shellshock is actually an example of "selective disclosure" (as Ted > Unangst calls it) arguably not working well enough to be worthwhile. > In this case, it was because the right ones (as it turned out) of the > "many eyeballs" - Tavis and Michal - were not party to the "selective > disclosure". Florian was, but I am guessing that without finding more > parser bugs convincing Chet and distros to remove exposure of the > parser so urgently would have been difficult. Arguably, this suggests > that we should expand the distros list membership with security > researchers who are capable, willing, and have (paid?) time to review > upcoming security patches and the software being patched for possible > other flaws closely related to those being patched. I've been thinking about this for the past week and agree with your problem identification. However, the lesson I rescue is diametrically opposed to the one you arrived at. An effect few mention is how dramatically things changed post-embargo. Sure, Chet's been burning the midnight oil (many thanks, Chet; you're owed many beers) but on some level, or maybe only after the dust settles, he'll be very appreciative of the way the community rallied in a highly dynamic way to ultimately help make Bash a better product. From the identification of key breach points (thanks Stephane, Tavis, and Michal) to the development of critical hardening (thanks Florian), the level of engagement has been, and continues to be, extraordinary. I don't know how long the initial report was embargo'd but I'm pretty sure the process became infinitely more productive after the veil of semi-secrecy was lifted (be it in metrics like LoC/hour or reports/day). It's amazing how productive people can be when incentives are properly aligned. Your solution is to add Tavis and Michal to distros@. What about the next flaw when the two researchers who turn out to be key are Bob and Fred? Add them next? You'll be playing catch-up. I think the overarching lesson here is there are costs to the embargo paradigm some have grown to love and over-use. Few consider the negative effects that removing one aspect of "open" from open source can have and how energetic the process can become once it's reintroduced. --mancha Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ