From: Daniel Harrison <danielh@loudcloud.com>
To: selinux@tycho.nsa.gov
Subject: Re: Cature the flag (was Re: Selinux kernel patches)
Date: Fri, 09 Feb 2001 08:56:17 -0800 [thread overview]
Message-ID: <3A842131.56C5210@loudcloud.com> (raw)
In-Reply-To: 200102091033.AA740426066@bladestorm.com
In case some people haven't seen it, there has been a thread on the Vuln-Dev list hosted by securityfocus.com talking about the right and wrong way to do this. Some vendors have been participating in the discussion. I would definitely suggest checking out the archives of that list.
-dan
paul wrote:
> I have always felt that the best way to test a piece of software is the same way that any scientist would test a hypothesis. The hypothesis here is that the software is secure. So in order to test that hypothesis you have to have people that test that software for security holes.
>
> In my opinion, finishing a piece of software and then inviting the whole planet to try and "hack" it for $200 and a free shirt is just not the best way to approach this. You will end up with people from all over the planet not only attacking the system but also the network, including other systems on the same wire that are gathering packets, routers, and perhaps even the upstream provider. Sure, you can say that all these are off limits, but people will simply not care as has been shown by these kind of "tests" over and over and over.
>
> What we intend to do at Bladestorm is to integrate all the efforts here into our distribution and conduct a controlled test, where the software is tested by security professionals. It will be probed and tested thoroughly, we would report our findings, patch, reprobe, and then after that cycle is done we will do a beta. And the beta would be to put the distribution into environments where the software can be tested. This way, we can eliminate variables such as routers going down and so forth and really be able to pinpoint holes.
>
> Public stunts like this is more like handing 2,000 people a can opener and telling them all to try to be the first to open a can. You end up with a mess, and a lot of spilled tomato soup. It's just not worth it from my vantage point.
>
--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2001-02-09 16:54 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-02-09 15:33 Cature the flag (was Re: Selinux kernel patches) paul
2001-02-09 16:31 ` John Cordani
2001-02-09 16:56 ` Daniel Harrison [this message]
-- strict thread matches above, loose matches on Subject: below --
2001-02-09 16:54 Ellis, Wes
2001-02-09 15:18 paul
2001-02-09 16:58 ` Jose Nazario
2001-02-06 20:28 Selinux kernel patches Pete Loscocco
2001-02-08 18:41 ` Dale Amon
2001-02-09 2:32 ` Cature the flag (was Re: Selinux kernel patches) Sandy Harris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3A842131.56C5210@loudcloud.com \
--to=danielh@loudcloud.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.