Re: thoughts on kernel security issues

From: Marek Habersack
Date: Thu Jan 13 2005 - 15:43:31 EST


On Thu, Jan 13, 2005 at 03:03:08PM -0500, Dave Jones scribbled:
> On Thu, Jan 13, 2005 at 08:42:46PM +0100, Marek Habersack wrote:
> > On Thu, Jan 13, 2005 at 03:36:27PM +0000, Alan Cox scribbled:
> > > On Mer, 2005-01-12 at 17:42, Marcelo Tosatti wrote:
> > > > The kernel security list must be higher in hierarchy than vendorsec.
> > > >
> > > > Any information sent to vendorsec must be sent immediately for the kernel
> > > > security list and discussed there.
> > >
> > > We cannot do this without the reporters permission. Often we get
> > I think I don't understand that. A reporter doesn't "own" the bug - not the
> > copyright, not the code, so how come they can own the fix/report?
>
> Security researchers are an odd bunch. They're very attached to their
> bugs in the sense they want to be the ones who get the glory for
> having reported it.
Let them have it! We can even chip in to run banner adds on freshmeat with
their name on it, I'm all game for that. Or create an RFC-like archive of
the vulnerabilities, ruled by the same rules - no changes after publishing.
Their names will be circulating around the internet forever.

> As soon as bugs start getting forwarded around between lists, the
> potential for leaks increases greatly. The recent fiasco surrounding
> one of the isec.pl holes was believed to have been caused due to
> someone 'sniffing upstream' for example.
I think it would be a non-issue if there was no drive towards keeping it
secret at all cost. It would be out in the open, nothing else, nothing more.

> When issues get leaked, the incentive for a researcher to use the
> same process again goes away, which hurts us. Basically, trying
> to keep them happy is in our best interests.
You've said they want glory, we can give it to them in many ways without
keeping their discoveries secret.

best regards,

marek

Attachment: signature.asc
Description: Digital signature