Archive for June, 2010

Ethical Vulnerability Disclosure (+mediacircus)

June 17, 2010 at 11:11 pm · Filed under Current Events

Today there was a meaty post (on the longish side, but worth it) on the DailyDave mailing list about ethical disclosure of vulnerabilities with respect to a recent Microsoft vulnerability.

http://lists.immunitysec.com/pipermail/dailydave/2010-June/006130.html

Juicy tidbit:

“So since most researchers in the security community
have had their spines and sense of justice/fairness contractually
removed by their respective employers, I’d like to comment on some of
these topics. The purpose of my mail is to call out (by name) the
individuals, “journalists”, and companies that manufactured the
controversy for their own benefit.”

There seems to be powerful motivations from both companies and “news”-hungry journalists and bloggers to spin tech events any way they want them. Besides the main point about curtailing the motivation for ethical vulnerability research, I suppose this episode serves as a cautionary tale in terms of the credibility of the “new media.”

Comments off

Is Linux a Target?

June 15, 2010 at 2:38 pm · Filed under Complaints, Editorial

This recent article about a 3rd-party Trojan’d piece of software for Linux is a bit sensationalist.

If a user purposely installs software of uncertain provenance (STONESOUP anyone?), it doesn’t matter what operating system lurks underneath. Does anyone know of an OS that refuses to execute an application the user commands it to install and execute?

I don’t think the community has found an effective sandboxing technique that provides both precision and accuracy in constraining arbitrary software (i.e., no technique that I know of automatically ascertains what the valid limits of the software should be within the constraints of security policy and user needs).

And it definitely should not be news that Linux is (and has been for a while) a target.

Comments off