D. J. Bernstein wrote:

>Stephen Samuel writes:
>
>
>>I'm asking for a reasonable ammount of time for a responsible
>>programmer to ensure that his/her user community is properly served
>>and protected from the effects of the bugs.
>>
>>
>Same delusion: you think that users are protected from security holes if
>the security holes are patched before they're announced. Sorry, but
>that's not nearly fast enough. Protecting the users means making the
>programs secure before they're deployed in the first place.
>
>
In theory, theory is just like practice. But in practice, it isn't.

In theory, I agree with DJB: an infinitely-funded adversary can hire a
gang of code analysts to scour a code base looking for vulnerabilities
and *not* publish them, effectively manufacturing private exploits in
whatever quantity they are willing to pay for. It is conjectured that
certain foreign governments are actually doing this.

But in practice, there is a *substantial* amount of epidemiological data
that shows that wide-spread attacks against software follow shortly
after the disclosure (responsible or otherwise) of a vulnerability. See
Brown, Arbaugh et al A Trend Analysis of Exploitations
<http://www.cs.umd.edu/%7Ewaa/pubs/CS-TR-4200.pdf> for great data on
when attacks happen with respect to disclosure. Furthermore, if you
force a fire drill in releasing the security patch, you compromise the
quality of the patch. See my work on patch quality "Timing the
Application of Security Patches for Optimal Uptime", Beattie et al
Postscript
<http://immunix.com/%7Ecrispin/time-to-patch-usenix-lisa02.ps.gz>. or
ugly PDF <http://immunix.com/%7Ecrispin/time-to-patch-usenix-lisa02.pdf>.

So while I am sympathetic to DJB's passion for correct software and to
hell with the tender feelings of developers who ship buggy code, in
practice this kind of 0-day notice of vulnerabilities *mostly* just
harms end-users.

Crispin

--
Crispin Cowan, Ph.D. http://immunix.com/~crispin/
CTO, Immunix http://immunix.com

[ reply ]