Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security Programming Software IT Technology

Is Finding Security Holes a Good Idea? 433

Posted by michael from the dare-not-speak-its-name dept.
ekr writes "A lot of effort goes into finding vulnerabilities in software, but there's no real evidence that it actually improves security. I've been trying to study this problem and the results (pdf) aren't very encouraging. It doesn't look like we're making much of a dent in the overall number of vulnerabilities in the software we use. The paper was presented at the Workshop on Economics and Information Security 2004 and the slides can be found here (pdf)."
This discussion has been archived. No new comments can be posted.

Is Finding Security Holes a Good Idea? More

Is Finding Security Holes a Good Idea?

Comments Filter:

  • Looks like (Score:0, Funny)

    by Anonymous Coward on Friday June 11, 2004 @12:38PM (#9398946)
    Looks like Microsoft had it right all along! :o)

    /me ducks and runs

  • High-larious (Score:2, Funny)

    by Defiler ( 1693 ) * on Friday June 11, 2004 @12:40PM (#9398964)
    I like sticking my head into the sand, but the grit keeps scratching my sunglasses. Any suggestions?

  • New Study (Score:1, Funny)

    by Anonymous Coward on Friday June 11, 2004 @12:42PM (#9399007)
    In other news, a new study shows mowing the lawn doesn't stop the grass from growing. Scientists are perplexed at this unusual discovery.

  • Re:High-larious (Score:2, Funny)

    by Bombcar ( 16057 ) <racbmob@bo[ ]ar.com ['mbc' in gap]> on Friday June 11, 2004 @12:49PM (#9399108) Homepage Journal
    I believe that around here, you're supposed to use "Hot Grits."

    Maybe one of the olde-tymers can help us here.....

  • Security guy? (Score:5, Funny)

    by ajs ( 35943 ) <{ajs} {at} {ajs.com}> on Friday June 11, 2004 @12:52PM (#9399167) Homepage Journal
    I'm confused about this guy. He claims to be a security consultant, but to quote his blog [rtfm.com],
    "I replied to the mail and didn't check the recipients lines and my mailer helpfully sent a copy of my credit card # to everyone who had gotten the original message. Outstanding."

    Really. I didn't make that up, check the link! Who is this guy, and why is he giving me software security advice?!

  • Re:It helps admins (Score:2, Funny)

    by saderax ( 718814 ) on Friday June 11, 2004 @12:57PM (#9399269)
    hmm..

    Thcs m.ssage wrikken fsing tje Dvorat teyboare payouk.

    interesting sig. First one assumes that the message translates to "This message written using the Dvorak keyboard layout. However, the 'E' correctly used at the end of the word assumed to be 'the' and in the beginning of the word 'keyboard' is also used at the end of that word supposedly representing the 'D' letter. The period in the middle of the word assumed to be 'message' translates to 'E' however we can see that natural occurances of the 'E' character appear elsewhere and the period also appears at the end of a sentance correctly. From this i can draw one of two conclusions:
    1. This message was NOT written using a Dvorak keyboard
    2. (or) The message more appropriately translates to "This messagd writtdn using thd Dvorak kdyboard layoute"

  • Re:If that happens (Score:3, Funny)

    by Snowmit ( 704081 ) on Friday June 11, 2004 @01:05PM (#9399382) Homepage
    I'll move to a browser that people don't exploit as much. One of the big reasons I use Mozilla is for security. Security through obscurity doesn't work, unless no-one knows about the program/not enough users use it to make exploiting vulnerabilities productive.

    Security through obscurity doesn't work unless the (secure) thing is obscure?

  • Re:Not necessarily (Score:4, Funny)

    by Theatetus ( 521747 ) * on Friday June 11, 2004 @01:31PM (#9399751) Journal

    IIRC the hotfix for the offensive characters (some font had a swastika or something like that) was listed with the "critical" updates on windows update. Maybe I'm remembering wrong though.

  • Re:we need no bugs from the start (Score:3, Funny)

    by geoffspear ( 692508 ) * on Friday June 11, 2004 @01:40PM (#9399871) Homepage
    Wow, no software developer ever thought of that before. I know I have been putting bugs in my code on purpose because I thought we were supposed to. Thanks for the heads up; I'll start writing perfect code from now on.

  • Re:Fixing vulnerabilities is GOOD! (Score:3, Funny)

    by Psymunn ( 778581 ) on Friday June 11, 2004 @02:48PM (#9400756)
    Oracle: I'd ask you to sit down, but, you're not going to anyway. And don't worry about the exploit.
    Neo: What exploit?
    [Neo turns Oracles computer and intantly pop up adds start appearing on the Oracle's desktop]
    Oracle: That exploit.
    Neo: I'm sorry--
    Oracle: I said don't worry about it. I'll get one of my kids to write a patch for it.
    Neo: How did you know?
    Oracle: Ohh, what's really going to bake your noodle later on is, would anyone have created that virus if i hadn't have told them about the exploit?

Slashdot Top Deals

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (5) All right, who's the wiseguy who stuck this trigraph stuff in here?

Close