Linux 2.6.30 exploit posted

Posted Jul 22, 2009 10:00 UTC (Wed) by ortalo (guest, #4654)
In reply to: Linux 2.6.30 exploit posted by mingo
Parent article: Linux 2.6.30 exploit posted

Hey... I have rarely read such an interesting comment, especially in association with a real security failure.

First, thanks for the nice wrap up.
Second, as I am involved in security-related teaching activities, would you eventually allow me to present your text to my students for commenting?

Finally, let me express some additional concerns.
Governement-funded or organized vulnerability research may actually already be occuring but not leading to security improvements: think of military-funded organizations or simple selfish (and commercially-compatible) self-protection of big players. I wonder how we could guarantee that such organizations do contribute to overall security. But I totally agree with you that such organized research is still too rare; hence we still rely a lot too much on individual achievements in this area.
Then, there is a deeper question: don't we feel the need for technical vulnerability research because we do not put enough efforts on providing security guarantees (or mechanisms, or properties) in our systems? (And yes, I know I speak to an audience who already certainly does much more than any other one in this area - I would probably not even openly express this concern if I did not know that.)

to post comments

Linux 2.6.30 exploit posted

Posted Aug 2, 2009 15:30 UTC (Sun) by mingo (subscriber, #31122) [Link]

Second, as I am involved in security-related teaching activities, would you eventually allow me to present your text to my students for commenting?

Sure, feel free!

Finally, let me express some additional concerns. Governement-funded or organized vulnerability research may actually already be occuring but not leading to security improvements: think of military-funded organizations or simple selfish (and commercially-compatible) self-protection of big players. I wonder how we could guarantee that such organizations do contribute to overall security. But I totally agree with you that such organized research is still too rare; hence we still rely a lot too much on individual achievements in this area. Then, there is a deeper question: don't we feel the need for technical vulnerability research because we do not put enough efforts on providing security guarantees (or mechanisms, or properties) in our systems? (And yes, I know I speak to an audience who already certainly does much more than any other one in this area - I would probably not even openly express this concern if I did not know that.)

How much effort we put into various fields is largely supply-demand driven.

Firstly, the main drive in the 'fix space' is towards problems that affect people directly.

A bug that crashes people's boxes will get prime-time attention. A missing feature that keeps people from utilizing their hardware or apps optimally too gets a fair shot and all the market forces work on them in a healthy way.

'Security issues' is not included in that 'direct space' - the ordinary user is rarely affected by security problems in a negative way.

So computer security has become a field that is largely fear-driven: with a lot of artificial fear-mongering going on, with frequent innuendo, snake-oil merchants and all the other parasitic tactics that can get the (undeserved) attention (and resources) of people who are not affected by those issues.

I think it's difficult to see where the right balance is, given how hard it is to measure the security of a given system.