Re: thoughts on kernel security issues
From: Linus Torvalds
Date: Fri Jan 14 2005 - 17:59:08 EST
On Fri, 14 Jan 2005, Theodore Ts'o wrote:
>
> I disagree. First of all, we can't know what motivates someone, and
> presuming that we know their motivation is something that should only
> be done with the greatest of care. Secondly, someone who does want
> cheap PR can do so without delaying their disclosure; they can issue a
> breathless press release or "security advisory" about a DOS attack
> just easily with a zero-day disclosure as they can with a two-week
> delayed disclosure.
Your "secondly" is bogus.
Sure, you can do that, and if you do that, then the world recognizes you
for what you are - nothing but a publicity-seeking creep.
THAT is why vendor-sec is bad. It allows publicity-seeking creeps to take
on the mantle of being "good".
I'm arguing for exposing them for what they are. If that hurts some
feelings, tough ;)
> > (a) accepting that bugs happen, and that they aren't news, but making
> > sure that the very openness of the process means that people know
> > what's going on exactly because it is _open_, not because some news
> > organization had to make a big stink about it just to make a vendor
> > take notice.
>
> A one or two week delay is hardly cause for "a news organization to
> make a big stick so vendors will take notice".
You ignore reality.
It's not a one- or two-week delay. Once the vendor-sec mentality takes
effect, the delay inevitably grows. You _always_ have excuses for
delaying, and as shown by this thread, a _lot_ of people believe them.
Also, even a one- or two-week delay _is_ actually detrimental. It means
that you can't handle the problem when it happens, so it gets queued up.
People cannot inform unrelated third parties about their patches (because
they are embargoed), which means that they get out of sync, and suddenly
the thing that open source is so good at - namely making communication
work well - becomes a problem.
> > And let's not kid ourselves: the security firms may have resources that
> > they put into it, but the worst-case schenario is actual criminal intent.
> > People who really have resources to study security problems, and who have
> > _no_ advantage of using vendor-sec at all. And in that case, vendor-sec is
> > _REALLY_ a huge mistake.
>
> Nah. If you have criminal intent, generally there are far easier ways
> to target a specific company.
The spam-viruses clearly show that that isn't always true, though. The
advantage to targeting the whole infrastructure _is_ clearly there.
Linus
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/