From: dave (daveimmunityinc.com)
Date: Sat Aug 08 2009 - 15:19:27 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Normally I would, of course, kill this thread, but there's lots of the
Linux Kernel/Vendor security community subscribed to the list, and I
think it's important for them to hear the story. Right now, Linux kernel
security is 5 years behind Windows. There's just no leadership on the
issue - and it doesn't have to come from Linus Torvalds or the
development leadership.

Partially, Linus is right - there really is no way to have developers
truly know the security ramifications of every change they commit or
every bug they fix. But on the other hand, the GRSecurity team and
others have shown that for very little additional investment, one small
team of good people (throw a half million USD a year at it and be amazed
at the results!), the Linux community could be vastly benefited. Modern
software development DOES have to incorporate a security model, and
Linux is no exception if it wants to be successful.

It's always hard for security vendors to learn the lesson from Andrew
Cushman about how to handle security researchers. Quite literally, no
matter how much security researchers piss you off, you have to embrace
and extend their efforts and their community. It's the only way. Every
other way, from Denial, to Legal Threats, to Massive PR Effort, just
results in continued failure. If a Linux kernel developer suspects their
patch has security relevance, and deliberately hides that in their
commit message, they are in the Denial phase. The fact that people can
be mean when they point that out doesn't change the real failure.

In this case, the best move for Linux as a whole is to develop a
security center of excellence, possibly hosted somewhere where multiple
vendors can contribute to it, and work together to help with Linux's
(kernel) security problems. They can start by going through new kernels
and pointing out which changes may be security relevant, while training
up key Linux developers on modern security techniques.

Otherwise it's just not a fair fight. I do so love a fair fight. :>

- -dave

RB wrote:
> On Fri, Aug 7, 2009 at 11:41, Aaron<apconoleyahoo.com> wrote:
>> The 'shades of grey' only exist to security people. To no one else is it
>> important
>> that a bug disclose information, allow invalid root access, or escalate
>> privileges.
>
> Rather, 'shades of grey' only exist to critical thinkers who actually
> understand the problems. If you really think privilege escalation and
> information disclosure are esoteric problems that should be relegated
> only to "security people", I know a few thousand non-security system
> administrators that would like you to stop whatever you're doing and
> go flip burgers. Pretending that there is no such thing as a security
> bug is a childish pretense and is the equivalent of closing your eyes
> and assuming nobody's there because you can't see them.
>
>> So the point still stands, why burden the average kernel developer/debugger
>> to do
>> security research work for the security researcher?
>
> Because, although rather vocal, researchers compose a numerically
> insignificant subset of the security "industry". The vast majority
> are sysadmins, engineers, and programmers that need to prioritize
> fixes based not only on functionality but on exposure as well. The
> expectation is not for kernel developers to perform ad-nauseum
> security analysis of bugs, but for them to exercise due diligence and
> not suppress security information.
> _______________________________________________
> Dailydave mailing list
> Dailydavelists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkp93c8ACgkQtehAhL0ghergKACfYBZs1tJR+FKhk8Obw00fPGqB
XzgAn04/qqbyl23yTBYGLlEc41r5mR/E
=TPTv
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]