[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Server Compromise -- A Fire Drill ??



on Thu, Dec 04, 2003 at 06:21:33PM +0100, Johannes Zarl (johannes.zarl@ahl.uni-linz.ac.at) wrote:
Content-Description: signed data
> On Thursday 04 December 2003 17:43, Tom wrote:
> > On Thu, Dec 04, 2003 at 10:15:12AM -0600, John Hasler wrote:
> > > ...  That's why the kernel
> > > developers thought it was just an ordinary bug: they could see no way
> > > to exploit it.
> >
> > That statement is somewhat disconcerting.  The hypothesis is that many
> > eyes detect secure bugs, and here is clear case evidence contradicting
> > that hypothesis.
> 
> <nitpicking>
> Actually, the hypothesis is that many eyes detect severe bugs more likely. 
> So one severe bug going undetected (or in this case underestimated) 
> doesn't disprove the hypothesis. 
> </nitpicking>

It was detected, all right.

I just wasn't reported back to Kernel Development as a security bug
directly.


> > One must assume there are more bugs in this class.
> 
> Definitely. Like in every big software-project one must assume there are 
> (severe) bugs going undetected. 

IIRC, it was a prior nonproductive thread with "Tom" which pointed out
seeding and metrics as a way of estimating such bug counts.


Peace.

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
    The truth behind the H-1B IT indentured servant scam:
    http://heather.cs.ucdavis.edu/itaa.real.html

Attachment: pgpObSBmolBxX.pgp
Description: PGP signature


Reply to: