Re: [stable] Linux

From: Casey Schaufler
Date: Wed Jul 16 2008 - 01:26:57 EST

Tiago Assumpcao wrote:
Casey Schaufler wrote:
Ted Tso, Stephen Smalley and I are all recognized as security experts
and we can't even agree on whether sockets are objects or not, much
less what constitutes a security bug and even less what is likely to
be a security bug. Goodness, there are some of us who would argue
that since DNS is itself a security bug it is just not possible for
DNS to have a security bug, as an example.

In most cases, they are easy to spot.

Err, no, in the kernel environment a real security flaw is likely to
be pretty subtle.

You do not hesitate in categorizing yourself as something as obscure as... what's that term again? "Expert".

Actually, I always hesitate before calling myself an expert,
in spite of the credentials I have to back the title. Too
many people seem to think that if you disagree with their
point of view you can't know what you're talking about.

But then you fail on basic pragmatism when attempting to define what, nearly always, is a true or false question?

HeeHeeHee. Security questions are almost never true or false,
black or white, on or off. SPAM is *the* major computer security
issue and it has nothing at all to do with computers or security.
Is a use of strcpy() a security vulnerability? Sure it can be,
but in reality it almost never is, but the hysteria associated
with buffer overruns gave it a bad oder.

Jeez ;)

It's not so bad. We'll be OK. Really.

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at