Hi Rich, Your footnote #1 is dubious at best. The cost of aiming peoples eyes at bugs is _not_ $0. Until it is, the free software community has a problem with too few resources chasing too many bugs. Sitting my Debian box next to an XP box that's running Flash certainly doesn't change that. (Nor does it make the openssl library I'm running any less of a clusterfuck.)
-Jonathan On Friday, October 3, 2014 5:46 PM, Rich Kulawiec <r...@gsp.org> wrote: On Thu, Oct 02, 2014 at 05:50:08PM -0700, Greg wrote: > K, thanks for the read (I read it but nothing there seems to apply, > perhaps some of its points will be addressed below). I'm sorry that you feel that way; I included that link because I think the entire message applies, particularly this part: Of course the obvious answer is A, since B is more commonly known as "snake oil". It's garbage. No thinking, responsible person would ever choose B, because -- absent the history and the research and the publication and everything else -- it might be the instant cure for Bieberitis, or it might be sugar pills, or it might be poison. There's no way to know. Espionage might be brilliant, beautiful, bug-free code that does exactly what it's claimed to do. Or it might be loaded with algorithmic mistakes, coding errors, security holes and back doors. There's no way to know. And the reason there is no way to know is that Tao Effect is refusing to freely/openly/completely publish the full source code, i.e.: > Anyone is welcome, so long as they: > > 1. Are software security professionals. (Nobody else matters in this context, > after all.) > 2. Don't work for government intelligence agencies. > 3. Sign the NDA we give them, the salient points of which are enumerated on > our site. You're certainly welcome to set whatever policies you wish for your software (as is everyone). But by making this particular set of choices, you have immediately disqualified it from any further consideration, since it is not available for unconstrained peer review by arbitrary, independent third parties. (And can't be, since you've exempted anyone who doesn't meet your criteria and since anyone who signs your NDA is quite clearly no longer independent.) If you're serious about security, then you must be equally serious about independent and unlimited peer review, since -- so far -- it's the only tool we have that's been demonstrated to work in the field. It doesn't work very well sometimes (see "Shellshock") [1] but it's still the best we've got. You can't have the former without the latter: it's not a sufficient condition, but it's certainly a necessary one. By the way #1, your statement "(Nobody else matters in this context, after all)" in point #1 is absolutely, utterly, completely wrong. Security bugs in software are identified all the time by people who are *not* software security professionals: as one of the more well-known examples, let me point out Cliff Stoll. There are of course myriad others, as everyone who has either studied the history of the field or lived through it is quite well aware. That's one of the reasons why completely open, completely unrestricted peer review is important: there's no way to know who will find something. By the way #2, in re point #2: government intelligence agencies either feel that your software is of sufficient interest to require their attention or they do not. If the latter, then they don't care. But if the former, then in all probability they already have it or will acquire it without your help or knowledge whenever they feel like troubling themselves enough to do so. ---rsk [1] Although one could argue that it *did* work in the case of Shellshock: it just took a while. And one of the things that's very clearly working right now, as I'm writing this, is that the exposure of this particular bug has triggered a massive examination of the relevant code, which in turn has spurred copious discussion, which in turn will eventually result in marked improvement, since there are now a large number of clueful, experienced, motivated eyeballs peering at bash and arguing over it. Compare/contrast this overwhelming and prompt response to this with the laconic/anemic reactions of, let's say, Adobe: Adobe Shockwave bundles Flash that's 15 months behind on security fixes http://arstechnica.com/security/2014/05/adobe-shockwave-bundles-flash-thats-15-months-behind-on-security-fixes/ or Oracle: Oracle reportedly knew of critical Java bugs under attack for 4 months http://arstechnica.com/security/2012/08/critical-java-bugs-reported-4-months-ago/ So while Shellshock has been annoying, at least it's being worked on with an appropriate sense of urgency. -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
-- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.