Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 7 Oct 2014 06:46:22 +0000
From: mancha <mancha1@...o.com>
To: oss-security@...ts.openwall.com
Cc: chet.ramey@...e.edu
Subject: Re: Shellshocker - Repository of "Shellshock" Proof
 of Concept Code

On Tue, Oct 07, 2014 at 09:51:50AM +0400, Solar Designer wrote:
> Shellshock is actually an example of "selective disclosure" (as Ted
> Unangst calls it) arguably not working well enough to be worthwhile.
> In this case, it was because the right ones (as it turned out) of the
> "many eyeballs" - Tavis and Michal - were not party to the "selective
> disclosure".  Florian was, but I am guessing that without finding more
> parser bugs convincing Chet and distros to remove exposure of the
> parser so urgently would have been difficult.  Arguably, this suggests
> that we should expand the distros list membership with security
> researchers who are capable, willing, and have (paid?) time to review
> upcoming security patches and the software being patched for possible
> other flaws closely related to those being patched.

I've been thinking about this for the past week and agree with your
problem identification. However, the lesson I rescue is diametrically
opposed to the one you arrived at.

An effect few mention is how dramatically things changed post-embargo.
Sure, Chet's been burning the midnight oil (many thanks, Chet; you're
owed many beers) but on some level, or maybe only after the dust
settles, he'll be very appreciative of the way the community rallied in
a highly dynamic way to ultimately help make Bash a better product.

From the identification of key breach points (thanks Stephane, Tavis,
and Michal) to the development of critical hardening (thanks Florian),
the level of engagement has been, and continues to be, extraordinary.

I don't know how long the initial report was embargo'd but I'm pretty
sure the process became infinitely more productive after the veil of
semi-secrecy was lifted (be it in metrics like LoC/hour or reports/day).

It's amazing how productive people can be when incentives are properly
aligned.

Your solution is to add Tavis and Michal to distros@. What about the
next flaw when the two researchers who turn out to be key are Bob and
Fred? Add them next? You'll be playing catch-up.

I think the overarching lesson here is there are costs to the embargo
paradigm some have grown to love and over-use. Few consider the negative
effects that removing one aspect of "open" from open source can have and
how energetic the process can become once it's reintroduced.

--mancha

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.