February 22nd, 2006, 04:51 AM
How does the 'sploit/security patches scene work?
I'm writing a paper about IT security, patching holes, and how I've contributed to this scene (under other aliases and this one). I'm putting things such as securityfocus's bugtraq and other mailing lists, contacting vendors directly, website forums, etc., as means that people use to publish their findings (hopefully legitimately). Thing is, I need to come up with a "hierarchy" of sorts. Or, rather, some way to better describe to a layperson how the security and patching world works, in the subject specifically of exploits/holes/bugs and contributions made by seemingly-random Internet users. Anyone have any input?
February 22nd, 2006, 04:25 PM
I don't think there is any real hierarchy to speak of.
I'd probably approach it by explaining the various approaches to disclosure, from private disclosure to the vendor through to full disclosure, and everything in between (like iDefense's bounty for Microsoft vulns, or the various approaches to "responsible disclosure").
February 22nd, 2006, 04:39 PM
I would sugest following the sequence of events from the discovery of the bug ,exploit through to the deployment of the patch or update. That should allow you to give a description of the different people or organisations involved at the different stages. It should also allow you to adapt the techinical level to your audiance. Don't know if that helps but good luck with your paper.
\"America is the only country that went from barbarism to decadence without civilization in between.\"
\"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
February 22nd, 2006, 04:56 PM
OK mate, I am no expert but:
1. Define vulnerability and exploit and their relationship.
2. Where do you learn of vulnerabilities?
3. What do you then check to see if it has that vulnerability? say buffer overflows.........
4. Who do you contact.............software suppliers?
5. What software is affected?
6. What media deal with this sort of stuff? (CERT, SANS etc..)
7. Do you do a POC?
Something along those lines?
February 22nd, 2006, 05:26 PM
You guys have been a HUGE help. Thanks so much for your contributions and steering.
EDIT: and I'd green the two of you that I didn't if I didn't have to spread! Hehe
February 22nd, 2006, 05:33 PM
Hey Jehn~ please keep us informed, we may be able to add more.
One question I have is what kind of audience is this aimed at?
February 22nd, 2006, 09:18 PM
I'm applying to a very prestigious house here at Cornell called Telluride House. It's basically a large house on campus that is focused primarily on intellectual growth, community-building, and self-government of the house (completely). Some notable members who have lived in Telluride House have been Paul Wolfowitz, Francis Fukuyama, and many others.
One of the application questions is to engage in a topic of interest, and the point of the exercise is to see how I would be able to explain to a normal (albeit very smart) person on a topic about which they know nothing. That's why I'm doing this asking of you guys for help!
Thanks again. :-D