Hi Rich, Your footnote #1 is dubious at best. The cost of aiming peoples
eyes at bugs is _not_ $0. Until it is, the free software community has a
problem with too few resources chasing too many bugs. Sitting my Debian box
next to an XP box that's running Flash certainly doesn't change that. (Nor
does it make the openssl library I'm running any less of a clusterfuck.)
-Jonathan
On Friday, October 3, 2014 5:46 PM, Rich Kulawiec <r...@gsp.org> wrote:
On Thu, Oct 02, 2014 at 05:50:08PM -0700, Greg wrote:
> K, thanks for the read (I read it but nothing there seems to apply,
> perhaps some of its points will be addressed below).
I'm sorry that you feel that way; I included that link because I think
the entire message applies, particularly this part:
Of course the obvious answer is A, since B is more commonly
known as "snake oil". It's garbage. No thinking, responsible
person would ever choose B, because -- absent the history and
the research and the publication and everything else -- it might
be the instant cure for Bieberitis, or it might be sugar pills,
or it might be poison. There's no way to know.
Espionage might be brilliant, beautiful, bug-free code that does exactly
what it's claimed to do. Or it might be loaded with algorithmic mistakes,
coding errors, security holes and back doors. There's no way to know.
And the reason there is no way to know is that Tao Effect is refusing
to freely/openly/completely publish the full source code, i.e.:
> Anyone is welcome, so long as they:
>
> 1. Are software security professionals. (Nobody else matters in this context,
> after all.)
> 2. Don't work for government intelligence agencies.
> 3. Sign the NDA we give them, the salient points of which are enumerated on
> our site.
You're certainly welcome to set whatever policies you wish for your
software (as is everyone). But by making this particular set of choices,
you have immediately disqualified it from any further consideration,
since it is not available for unconstrained peer review by arbitrary,
independent third parties. (And can't be, since you've exempted
anyone who doesn't meet your criteria and since anyone who signs
your NDA is quite clearly no longer independent.)
If you're serious about security, then you must be equally serious about
independent and unlimited peer review, since -- so far -- it's the
only tool we have that's been demonstrated to work in the field.
It doesn't work very well sometimes (see "Shellshock") [1] but it's still
the best we've got. You can't have the former without the latter:
it's not a sufficient condition, but it's certainly a necessary one.
By the way #1, your statement "(Nobody else matters in this context,
after all)" in point #1 is absolutely, utterly, completely wrong.
Security bugs in software are identified all the time by people who are
*not* software security professionals: as one of the more well-known
examples, let me point out Cliff Stoll. There are of course myriad
others, as everyone who has either studied the history of the field
or lived through it is quite well aware. That's one of the reasons
why completely open, completely unrestricted peer review is important:
there's no way to know who will find something.
By the way #2, in re point #2: government intelligence agencies
either feel that your software is of sufficient interest to require
their attention or they do not. If the latter, then they don't care.
But if the former, then in all probability they already have it or will
acquire it without your help or knowledge whenever they feel like
troubling themselves enough to do so.
---rsk
[1] Although one could argue that it *did* work in the case of Shellshock:
it just took a while. And one of the things that's very clearly working
right now, as I'm writing this, is that the exposure of this particular
bug has triggered a massive examination of the relevant code, which in
turn has spurred copious discussion, which in turn will eventually result
in marked improvement, since there are now a large number of clueful,
experienced, motivated eyeballs peering at bash and arguing over it.
Compare/contrast this overwhelming and prompt response to this with the
laconic/anemic reactions of, let's say, Adobe:
Adobe Shockwave bundles Flash that's 15 months behind on security fixes
http://arstechnica.com/security/2014/05/adobe-shockwave-bundles-flash-thats-15-months-behind-on-security-fixes/
or Oracle:
Oracle reportedly knew of critical Java bugs under attack for 4 months
http://arstechnica.com/security/2012/08/critical-java-bugs-reported-4-months-ago/
So while Shellshock has been annoying, at least it's being worked on with
an appropriate sense of urgency.
--
Liberationtech is public & archives are searchable on Google. Violations of
list guidelines will get you moderated:
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe,
change to digest, or change password by emailing moderator at
compa...@stanford.edu.
--
Liberationtech is public & archives are searchable on Google. Violations of
list guidelines will get you moderated:
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe,
change to digest, or change password by emailing moderator at
compa...@stanford.edu.
