From mboxrd@z Thu Jan 1 00:00:00 1970 From: Joanna Rutkowska Subject: Re: Security discussion: Summary of proposals and criteria (was Re: Security vulnerability process, and CVE-2012-0217) Date: Sun, 08 Jul 2012 09:30:25 +0200 Message-ID: <4FF93711.6020108@invisiblethingslab.com> References: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0884171617107347374==" Return-path: In-Reply-To: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: George Dunlap Cc: Lars Kurth , "xen-devel@lists.xen.org" , Matt Wilson , Jan Beulich , Stefano Stabellini List-Id: xen-devel@lists.xenproject.org This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --===============0884171617107347374== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig3C58E6D067948C04DE5DD8C4" This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig3C58E6D067948C04DE5DD8C4 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 07/06/12 18:46, George Dunlap wrote: > Another question has to do with robustness of enforcement. If there > is a strong incentive for people on the list to break the rules > ("moral hazard"), then we need to import a whole legal framework: how > do we detect breaking the rules?=20 1) Realizing that somebody released patched binaries during embargo is simple. 2) Detecting that somebody patched their systems might be harder (after all we're not going to perform pen-tests on EC2 systems and the likes, right? ;) 3) Detecting that somebody sold info about the bug/exploit to the black market might be prohibitively hard -- the only thing that might *somehow* help is the use of some smart water marking (e.g. of the proof of concept code). Of course, if a person fully understands the bug/exploit, she would be able to recreate it from scratch herself, and then sell to the bad guys. On the other hand, the #2 above, seems like the least problematic for the safety of others. After all if the proverbial AWS folks patch their systems quietly, it doesn't immediately give others (the bad guys) access to the info about the bug, because nobody external (normally should) have access to the (running) binaries on the providers machines. So, perhaps #3 is of biggest concern to the community. joanna. --------------enig3C58E6D067948C04DE5DD8C4 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJP+TcRAAoJEDaIqHeRBUM0IywH/2KXpxs23VjIXp3/BSCwQeU8 5Rn+E3IoRid18mRd6/aXHfDn0gU+s4/vh9FQZQ65wHC05iMQHCQmS6EDlhDwhuRY D+Uac8jfKRa3c+R/3DIMp0e+r56At9tI8Y6Ulspa4Mfh3dfyTdqF7bIRmLx6gRyE 4Rpupkz7ZwHhl+m4nxs10TcwETNXH5sJC1tSOM1huM+RB3P1M7AruambSwcQSLBj WjQ0hybHT9fLpwENbgsZMwEF1Ik0RcVQ3wlC/ImuJbOrbnaTWDQJIr6a3WdrR1ez UfmDa/sz6W75DMMB7RqRxlLPzHA+slE/NPDYBvhlazKexIXco4iHm3k5so65YvE= =8TEY -----END PGP SIGNATURE----- --------------enig3C58E6D067948C04DE5DD8C4-- --===============0884171617107347374== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --===============0884171617107347374==--