Re: thoughts on kernel security issues

From: Alan Cox
Date: Thu Jan 13 2005 - 15:54:23 EST

Next message: Marek Habersack: "Re: thoughts on kernel security issues"
Previous message: Dave Jones: "Re: thoughts on kernel security issues"
In reply to: Marek Habersack: "Re: thoughts on kernel security issues"
Next in thread: Marek Habersack: "Re: thoughts on kernel security issues"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Iau, 2005-01-13 at 20:29, Marek Habersack wrote:
> I understand that, but I don't see a point in holding the fixes back for the
> majority of people (since the vendors on vendor-sec are a minority and I

vendor-sec probably covers the majority of users

It covers
2.4
2.6-ac
Red Hat
SuSE
Debian
Gentoo
Mandrake
and many more including some of the BSD folk (a lot of user space bugs
are common)

2.6 base isn't covered because Linus has differing views.

> suspect that more people run self-compiled kernels on their servers than the
> vendor kernels, I might be wrong on that). If there is a list that's at

I'd say you are very very wrong from the data I have access too,
probably of the order of 1000:1 wrong or more.

> > Licensing is irrelevant. Like it or not, the person who is discovering
> > the bugs has some say in how you deal with the information. It's in our
> > best interest to work nicely with these folks, not marginalize them.

> It's not about marginalizing, because by requesting that their report is
> kept secret for a while and known only to a small bunch of people, you could
> say they are marginalizing us, the majority of people who use the linux
> kernel (us - those who aren't on the vendor-sec list). It's, again IMHO,

They chose to. A lot of people report bugs directly to Linus too or to
the lists or to full-disclosure depending upon their view. The folks who
report bugs in private either to Linus or to vendor-sec or maintainers
or whoever generally believe that the bad guys can move faster and cause
a lot of damage if a bug isn't fixed before announce.

Thats based on the observation that
- the bad guys have to move a small exploit versus a large binary
- the exploit doesn't have to pass quality assurance, you just write
more
- they can automate the attack tools very effectively

So the non-disclosure argument is perhaps put as "equality of access at
the point of discovery means everyone gets rooted.". And if you want a
lot more detail on this read papers on the models of security economics
- its a well studied field.

Alan

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Marek Habersack: "Re: thoughts on kernel security issues"
Previous message: Dave Jones: "Re: thoughts on kernel security issues"
In reply to: Marek Habersack: "Re: thoughts on kernel security issues"
Next in thread: Marek Habersack: "Re: thoughts on kernel security issues"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]