Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 4 Apr 2011 02:09:38 +0400
From: Solar Designer <>
Subject: Re: Closed list

On Sat, Apr 02, 2011 at 06:00:40AM +0200, klondike wrote:
> Will the list provide protection against rubber-hose cryptanalisys?,

No, it won't.  Worse, people will also have the temptation to make use
of the information at their other jobs, etc.  For example, a security
contact for a distro might not only prepare updated packages, but also
patch their personal server early... which adds to the risk.

I see no way to deal with this technically, other than by keeping the
number of subscribers relatively low (only those who "need to know") and
by only discussing medium-severity issues on the list (thus high
severity ones will have even more focused distribution).

Arguably, medium-severity issues are not worth rubber-hose cryptanalysis
and are not as tempting to patch, yet their handling may benefit from
some coordination between distro vendors.

> Sometime ago I was taught that the best way to be sure a secret was not
> known was not saying it, so if you, researchers, want to make sure your
> PoC aren't abused do things properly, warn the vendors to upgrade the
> product because of your security finding and avoid providing PoCs until
> enough time has passed for you to be sure everybody has had a chance to
> upgrade.

This makes sense to me.  No need to provide vendors with more info than
they need to properly patch the issue and verify the fix.  The latter
will sometimes require access to a PoC, though, but I'd prefer such PoCs
to be sent directly to vendors who express interest in testing their
fixes rather than posted to a multi-vendor exploder list.

> Any other solution can be easily flawed since you can't make sure I
> won't buy/kidnap/kidnap relatives of/steal data from etc. on anybody on
> such a private list.

Sure, but it's always a tradeoff, and the risk is there even if you
share a vulnerability report without a PoC.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.