Thor Larholm wrote:
Most of the 44 posted "security" advisories are about software bugs with a very low security risk. See for example the posted bug on NASM (http://tigger.uic.edu/~jlongs2/holes/nasm.txt): what's the chance of an evil asm file being sent to an ignorant user that calls nasm to compile this file? And this nasm bug is then called a "remotely exploitable security hole". If I mail out a shell script that does "rm -rf $HOME/*", this can also be considered a remotely exploitable security hole.This small group of students highlights how individuals outside the security industry without special security prerequisites can still manage to outperform the average Bugtraq poster in sheer quantity of discoveries. This adequately validates the typical estimate of between 5 and 15 errors in every thousand lines of code.
A proper (wide-scale) remotely exploitable security hole is one than can be exploited without any ignorant user on the other side: for example, the bug Windows Messenger service which was enabled by default, making every user vulnerable, regardless of their stupidity.
With a class of 25 students discovering 44 vulnerabilities most students now expect to fail the course (http://it.slashdot.org/article.pl?sid=04/12/15/2113202).
I think punishing students that have actually found security holes does not make the world a better place ;)
-- cees-bart.