Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is Finding Security Holes a Good Idea?

Posted by michael on from the dare-not-speak-its-name dept.

ekr writes "A lot of effort goes into finding vulnerabilities in software, but there's no real evidence that it actually improves security. I've been trying to study this problem and the results (pdf) aren't very encouraging. It doesn't look like we're making much of a dent in the overall number of vulnerabilities in the software we use. The paper was presented at the Workshop on Economics and Information Security 2004 and the slides can be found here (pdf)."

10 of 433 comments (clear)

  1. Looks like by Anonymous Coward · · Score: 0, Funny

    Looks like Microsoft had it right all along! :o)

    /me ducks and runs

  2. High-larious by Defiler · · Score: 2, Funny

    I like sticking my head into the sand, but the grit keeps scratching my sunglasses. Any suggestions?

    1. Re:High-larious by Bombcar · · Score: 2, Funny

      I believe that around here, you're supposed to use "Hot Grits."

      Maybe one of the olde-tymers can help us here.....

      --
      Fellowship 9/11
  3. New Study by Anonymous Coward · · Score: 1, Funny

    In other news, a new study shows mowing the lawn doesn't stop the grass from growing. Scientists are perplexed at this unusual discovery.

  4. Security guy? by ajs · · Score: 4, Funny
    I'm confused about this guy. He claims to be a security consultant, but to quote his blog,
    "I replied to the mail and didn't check the recipients lines and my mailer helpfully sent a copy of my credit card # to everyone who had gotten the original message. Outstanding."

    Really. I didn't make that up, check the link! Who is this guy, and why is he giving me software security advice?!
  5. Re:It helps admins by saderax · · Score: 2, Funny
    hmm..

    Thcs m.ssage wrikken fsing tje Dvorat teyboare payouk.

    interesting sig. First one assumes that the message translates to "This message written using the Dvorak keyboard layout. However, the 'E' correctly used at the end of the word assumed to be 'the' and in the beginning of the word 'keyboard' is also used at the end of that word supposedly representing the 'D' letter. The period in the middle of the word assumed to be 'message' translates to 'E' however we can see that natural occurances of the 'E' character appear elsewhere and the period also appears at the end of a sentance correctly. From this i can draw one of two conclusions:
    1. This message was NOT written using a Dvorak keyboard
    2. (or) The message more appropriately translates to "This messagd writtdn using thd Dvorak kdyboard layoute"
  6. Re:If that happens by Snowmit · · Score: 2, Funny

    I'll move to a browser that people don't exploit as much. One of the big reasons I use Mozilla is for security. Security through obscurity doesn't work, unless no-one knows about the program/not enough users use it to make exploiting vulnerabilities productive.

    Security through obscurity doesn't work unless the (secure) thing is obscure?

    --
    I have a lot of opinions about Cyborgs and Architects
  7. Re:Not necessarily by Theatetus · · Score: 3, Funny

    IIRC the hotfix for the offensive characters (some font had a swastika or something like that) was listed with the "critical" updates on windows update. Maybe I'm remembering wrong though.

    --
    All's true that is mistrusted
  8. Re:we need no bugs from the start by geoffspear · · Score: 2, Funny

    Wow, no software developer ever thought of that before. I know I have been putting bugs in my code on purpose because I thought we were supposed to. Thanks for the heads up; I'll start writing perfect code from now on.

    --
    Don't blame me; I'm never given mod points.
  9. Re:Fixing vulnerabilities is GOOD! by Psymunn · · Score: 3, Funny

    Oracle: I'd ask you to sit down, but, you're not going to anyway. And don't worry about the exploit.
    Neo: What exploit?
    [Neo turns Oracles computer and intantly pop up adds start appearing on the Oracle's desktop]
    Oracle: That exploit.
    Neo: I'm sorry--
    Oracle: I said don't worry about it. I'll get one of my kids to write a patch for it.
    Neo: How did you know?
    Oracle: Ohh, what's really going to bake your noodle later on is, would anyone have created that virus if i hadn't have told them about the exploit?

    --
    The Neo-Bohemian Techno-Socialist