[Development] Proposal: Time to decide what security policy the Qt Project will use (not Trolltech/Nokia/Digia)

Sze Howe Koh szehowe.koh at gmail.com
Fri Oct 26 18:16:50 CEST 2012


On Fri, Oct 26, 2012 at 11:06 PM, d3fault <d3faultdotxbe at gmail.com> wrote:

> What about:
>
> >EXACTLY.
> >-A few crackers armed with knowledge you don't have
> >-A ton of script kiddies with knowledge you also have
>
> >The lesser of two evils is the latter.
>
> >BECAUSE *copies from above*:
> >You do not have to fear the script kiddies a single bit if you are
> >armed with the same information as them (because you shut down).
>
> That's a strong argument.
>

Let's make a simple categorization for all the stakeholders, to make things
clearer. For the bad guys, we have Crackers and Script Kiddies. For the
good guys, we have Security Experts, Non-expert Techies, and End Users.
Then, let's model the 2 scenarios.


CASE A: Responsible Disclosure
-- A few crackers know.
-- A few security experts know.


CASE B: Full Disclosure
-- Don't forget, the SAME few crackers from (A) still know. Plus many more
crackers who didn't know before. Plus a ton of script kiddies.
-- The same few security experts from (A) know, plus maybe a few more
security experts, plus many non-expert techies. Maybe a few end users paid
attention and now know, but most of them remain ignorant.


It is often easier to destroy than to construct/protect. One script kiddie
can harm many end users. One cracker can harm a ton of end users, and even
some non-expert techies. On the other hand, end users won't really know
what's the best way to protect themselves, even if they were aware of the
vulnerability; they may even panic. Non-expert techies will fare better and
can reasonably protect themselves, but that hardly helps other potential
targets. Security experts can do something about it, but that will only be
effective when the fix is published, and when everyone else actually
applies the fix. Do you agree so far?

So, the same knowledge has different potencies in different hands. I
disagree when you say "You do not have to fear the script kiddies a single
bit if you are armed with the same information as them". So far, you've
argued that techies and experts shouldn't have to fear script kiddies much.
That may be true when it's about protecting oneself, but you really must
remember that security is about protecting EVERYONE -- especially the end
users who're in ignorant bliss. Case B opens up the knowledge to both
sides, but the bad guys will be able to use it to produce a huge impact,
while the good guys will only have a small benefit.


Regards,
Sze-Howe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/development/attachments/20121027/a2ebb777/attachment.html>


More information about the Development mailing list