Ok Peter, I’ll respond: No.

Thomas Ptacek | October 31st, 2005 | Filed Under: Disclosure

You can sum up Lindstrom’s arguments this way: the industry is best served by making life difficult for weak attackers, even at a cost of making life easier for strong attackers.

We can go round and round about whether this is a useful strategy, but my read is that this argument has become boring, especially when it’s carried on between me and Peter Lindstrom.

Suffice it that I don’t believe “weak attacker” and “strong attacker” are useful distinctions for software security. Unlike cryptographic data security, where “strong attackers” benefit from millions of dollars in equipment, and where it is therefore useful to employ gradations like “foreign government” or “organized crime”, clever software exploits are no more expensive than cookbook exploits.

To the rest of Lindstrom’s argument, I’ll lapse into smug laziness and say that Lindstrom’s opinions about what Neel Mehta, myself, or anyone else will inspect has no impact on what we’ll be publishing. On the other hand, Mehta’s opinion on what is “fair game” has a LOT of impact on what will get published, and, in the immortal words of Nelson Muntz, “hAH-hAH!”

You don’t need to consider motives to defend “opposition research”: Snort is a high-value target which is intentionally exposed to peer review by nature of an open codebase. It’s definitely a “security hot spot”, and overtly positioned that way. Does Mehta get an emotional kick out of beating a competing security system? I certainly do. Does that impact the value of strengthening a widely deployed security tool? I’m waiting for someone to show me how.

I don’t even think Marty buys the idea that finding bugs in Snort is unproductive.