Linux 2.6.30 exploit posted
Posted Aug 2, 2009 15:30 UTC (Sun) by mingo
In reply to: Linux 2.6.30 exploit posted
Parent article: Linux 2.6.30 exploit posted
Second, as I am involved in security-related teaching activities, would you eventually allow me to present your text to my students for commenting?
Sure, feel free!
Finally, let me express some additional concerns.
Governement-funded or organized vulnerability research may actually already be occuring but not leading to security improvements: think of military-funded organizations or simple selfish (and commercially-compatible) self-protection of big players. I wonder how we could guarantee that such organizations do contribute to overall security. But I totally agree with you that such organized research is still too rare; hence we still rely a lot too much on individual achievements in this area.
Then, there is a deeper question: don't we feel the need for technical vulnerability research because we do not put enough efforts on providing security guarantees (or mechanisms, or properties) in our systems? (And yes, I know I speak to an audience who already certainly does much more than any other one in this area - I would probably not even openly express this concern if I did not know that.)
How much effort we put into various fields is largely supply-demand driven.
Firstly, the main drive in the 'fix space' is towards problems that affect people directly.
A bug that crashes people's boxes will get prime-time attention. A missing feature that keeps people from utilizing their hardware or apps optimally too gets a fair shot and all the market forces work on them in a healthy way.
'Security issues' is not included in that 'direct space' - the ordinary user is rarely affected by security problems in a negative way.
So computer security has become a field that is largely fear-driven: with a lot of artificial fear-mongering going on, with frequent innuendo, snake-oil merchants and all the other parasitic tactics that can get the (undeserved) attention (and resources) of people who are not affected by those issues.
I think it's difficult to see where the right balance is, given how hard it is to measure the security of a given system.
to post comments)