-------------------------------------------------------------------
|>
|> Dr. Frederick B. Cohen wrote :
|> >
|> > [lots of stuff, not relevant to my question, nuked out...]
|> >
|> > I don't mean to imply any bias here toward any of the three scenarios.
|> > I have at different times believed in each of the three, and have not
|> > yet heard an argument that convinces me of any of them.
|> >
|>
|> So, what made you believe in one in the first place, and what made you
|> change your mind ?
|
|Thought it was too dangerous to widely release active attack code for
viruses.
|It really could have taken down much of the world (and still potentially
could
|except that I don't release the really cleaver virus ideas). But not
telling
|anyone about the concept seemed very irresponsible. The compromise only
got
|me abuse from all sides.
|
|Thought (and often still do) that full disclosure was best. But then
|there are liablility issues and the fact that you probably actually do
|harm some people.
|
|Thought that secrecy was best, but not for long. Secrecy is too often used
|for
|economic advantage, and besides, they could kill you to prevent disclosure.
|
|Think that automated external testing without disclosure is best - but
|not ideal. Despite all of the problems with it, it seems better than
Does the "not ideal" part have something to do with the notion that any
such testing automated or otherwise could be used for malicious purposes?
In other words, how do I trust that the test 1) wasn't engaged in an attack
on my system - the test being a front and 2) covered all test cases the test
administrator said would be covered i.e. I'll tell you about 9 problems and
save the tenth for my own purposes?
Were there other issues that make this approach not ideal?
One could consider evaluating such tests and affixing a digital signature to
prove authenticity. This of course requires you to trust the folks who
evaluated
the test suite.
Even if source code is not divulged. It is a fact of life that people will
want to have some idea of what holes etc. are tested. Often even superficial
knowledge to an expert is enough for them to produce equivalent malicious
code.
It seems to me the threat isn't the code, rather it is the rate at which the
cracker community becomes educated/informed of new techniques vs. the rate
responsible folks are able to set up defences. Clearly, if the good guys
take a piecemeal approach to fending off attacks they are doomed to failure.
Seems to me purchasers of computer technology need to be able to gauge
likelihood
of compromise. Sort of a defect density for security holes.
Well it looks like I've drifted off the subject a little. My apologies!
Regards,
Ned Smith
nedbob @
sequent .
com
|giving bad guys attack code that works on 40% of the world's computers
|and better than not telling people about vulnerabilities. The bad guys
|with the code don't need to provide the service, and for a bad guy to
|make themself that5 high profile is an awefully big risk.
|
|FC
|
|
|
