LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-23-2010, 06:40 AM   #1
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Arrow Why Vulnerability Research Matters


Quote:
It seems that any time there's a high-profile incident in which a vulnerability is disclosed without a patch being available, there is an immediate and loud call from some corners to abolish the practice of vulnerability research. If researchers weren't spending their days poking holes in software, the bad guys wouldn't have so many flaws to exploit and we'd all be safer, this argument goes. But the plain fact is that all of us--users and vendors alike--are far better off because of the work researchers do.
Complete Article
 
Old 08-24-2010, 12:35 AM   #2
John VV
Guru
 
Registered: Aug 2005
Posts: 12,804

Rep: Reputation: 1705Reputation: 1705Reputation: 1705Reputation: 1705Reputation: 1705Reputation: 1705Reputation: 1705Reputation: 1705Reputation: 1705Reputation: 1705Reputation: 1705
reporting ????
well if the original devs are helpful and cooperating with the security researchers
then it should not be disclosed

BUT
if the original devs are NOT helpful and are NOT cooperating with the security researchers( stone walling and blowing off the researchers)
then YES report it to the world
 
Old 08-24-2010, 05:42 PM   #3
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
From the article:
Quote:
If researchers weren't spending their days poking holes in software, the bad guys wouldn't have so many flaws to exploit and we'd all be safer, this argument goes
I guess the same could be said about ANY product testing. If no testing were done, except perhaps for specially designed cases by the manufacturer we would have all perfect products right?

This 'attitude' sounds an awful lot like security through obscurity to me and we all know how well that works.
{edit} I read a comment about how commercial software vendors have a monetary interest in not releasing information regarding discovered vulnerabilities. Doing so could cause potential customers to question whether or not to purchase, patches and upgrades much be sent via distribution channels, etc. I know that I have seen this where I have worked. As a former boss once put it, "I can't lie about the defects that they know about, but I am under no obligation to disclose information about those that they don't". The claim was that the tendency to try and restrict this information in the hopes that nobody notices is a lot of the reason that the researchers started making this information known.

Last edited by Noway2; 08-28-2010 at 07:03 PM. Reason: Updated Information
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Why FOSS Matters to Me (But Maybe Not to You) LXer Syndicated Linux News 0 11-11-2009 03:00 AM
I wonder how much it matters anymore... jiml8 Linux - General 7 12-31-2008 12:07 AM
Size Matters Rick069 Linux - Software 2 04-09-2005 09:56 PM
matters with 2.6 and module :// olsimar Linux - Software 0 09-01-2003 06:25 AM
speed matters praveen_2003 Linux - Software 2 07-18-2003 11:52 PM


All times are GMT -5. The time now is 09:47 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration