<<< Date Index >>>     <<< Thread Index >>>

Re: DJB's students release 44 *nix software vulnerability advisories



Thor Larholm wrote:

This small group of students highlights how individuals outside the
security industry without special security prerequisites can still
manage to outperform the average Bugtraq poster in sheer quantity of
discoveries. This adequately validates the typical estimate of between 5
and 15 errors in every thousand lines of code.
Most of the 44 posted "security" advisories are about software bugs with a very low security risk. See for example the posted bug on NASM (http://tigger.uic.edu/~jlongs2/holes/nasm.txt): what's the chance of an evil asm file being sent to an ignorant user that calls nasm to compile this file? And this nasm bug is then called a "remotely exploitable security hole". If I mail out a shell script that does "rm -rf $HOME/*", this can also be considered a remotely exploitable security hole.

A proper (wide-scale) remotely exploitable security hole is one than can be exploited without any ignorant user on the other side: for example, the bug Windows Messenger service which was enabled by default, making every user vulnerable, regardless of their stupidity.

With a class of 25 students discovering 44 vulnerabilities most students
now expect to fail the course
(http://it.slashdot.org/article.pl?sid=04/12/15/2113202).

I think punishing students that have actually found security holes does not make the world a better place ;)



--
cees-bart.