Re: thoughts on kernel security issues

[Linus Torvalds]

On Thu, 13 Jan 2005, Arjan van de Ven wrote:
>
> On Thu, 2005-01-13 at 19:41 +0000, Alan Cox wrote:
> 
> > So the non-disclosure argument is perhaps put as "equality of access at
> > the point of discovery means everyone gets rooted.". And if you want a
> > lot more detail on this read papers on the models of security economics
> > - its a well studied field.
> 
> or in other words: you can write an exploit faster than y ou can write
> the fix, so the thing needs delaying until a fix is available to make it
> more equal.

That's a bogus argument, and anybody who looks at MS practices and 
is at all honest with himself should see it as a bogus argument.

I think MS _still_ to this day will stand up and say that they have had no
zero-day exploits. Exactly because they count "zero-day" as the day things
get publically released. Never mind that exploits where (and are)  
privately available on cracking networks for months before. They just
haven't been publically released BECAUSE EVERYBODY IS PARTICIPATING IN THE
GAME.

The written rule in this community is "no honest person will report a bug
before its time is through". Which automatically means that you get 
branded as being "bad" if you ever rock the boat. That's a piece of 
bullshit, and anybody who doesn't admit it is being totally dishonest with 
himself.

Me, I consider that to be dirty.

Does Linux have a better track record than MS? Damn right it does. We've 
had fewer problems, and I think there are more people out there standing 
up for what's right anyway. Less PR people deathly afraid of rockign the 
boat. Better technology, and fewer horrid design mistakes.

But that doesn't mean that all the same things aren't true for vendor-sec 
that are true for MS. They are just bad to a (much, I hope) smaller 
degree.

So instead, let's look at FACTS:

 - fixing a security bug is almost always much easier than writing an 
   exploit.  Arjan, your argument simply isn't true except for the worst 
   possible fundamental design issues. You should know that. In the case 
   of "uselib()", it was literally four lines of obvious code - all the 
   rest was just to make sure that there weren't any other cases like that
   lurking around.

 - There are more white-hats around than black-hats, but they are often 
   less "driven" and motivated. Now _that_, I would argue, is the real 
   problem with early disclosure - motivation.  The people really 
   motivated to find the bugs are the people who are also motivated to
   mis-use them. However, vendor-sec and "the game" just makes it more 
   worth-while for security firms to participate in it - it gives them the 
   "good PR" thing. And how much can you trust the "gray hats"?

And this is why I believe vendor-sec is part of the problem. If you don't
see that, then you're blinding yourself to the downsides, and trying to
only look at the upsides.

Are there advantages and upsides? Yes. Are there disadvantages?  
Indubitably. And anybody who disregards the disadvantages as "inevitable"
is not really interested in fixing the game.

			Linus
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/