Re: [SC-L] On exploits, hubris, and software security

2006-11-03 Thread SC-L Subscriber Dave Aronson
Gary McGraw [mailto:[EMAIL PROTECTED] writes:

 The main thing I wonder is, what do you think? When you have a hot
 demonstration of an exploit, how do you responsibly release it?

This isn't so much about that, in the usual sense. This was, as you say, a 
well-known vulnerability, one screamingly obvious to anybody who bothered to 
think about how to get around the No-Fly List. Bruce Schneier wrote about it on 
his blog long ago, as did many others.

 What role do such demonstrations play in moving software security forward?

It could help dramatically. Not so much because of the demo itself, which will 
of course be ignored by the Powers that Be, but the publicity around it. That 
might possibly eventually make enough of a dent in the public consciousness, to 
wake them up to the fact that what the PTBs have been doing is almost all just 
security THEATER.

However, it depends how much the media gives background. Unfortunately, even a 
brief blurb like this flaw in the No-Fly List concept has been well known for 
several years is unlikely to be aired or printed, since it takes valuable 
time/space away from the latest scandals of skanky socialites and other such 
much more important news. Without this little bit of trivia, the sheeple will 
just ass-u-me that the demo-giver was, as the PTBs will insinuate, a malefactor 
in league with $ENEMY[$YEAR], and deserves to be shipped off to the Git-lag.

-Dave

-- 
Dave Aronson
Specialization is for insects. -Heinlein
Work: http://www.davearonson.com/
Play: http://www.davearonson.net/



___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] On exploits, hubris, and software security

2006-11-03 Thread Blue Boar
Gary McGraw wrote:
 The main thing I wonder is, what do you think?  When you have a hot
 demonstration of an exploit, how do you responsibly release it?  What
 role do such demonstrations play in moving software security forward?

To pick one extreme, I believe there are times when intentionally 
blindsiding a vendor is appropriate:
http://ryanlrussell.blogspot.com/2006/11/you-want-mac-wireless-bugs.html

BB
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php