- You have the opportunity to try to manipulate your readers however you see fit.

- Software developers and users (the people whose opinions bugfinders completely ignore) didn’t care about buffer overflows for seven years, and what did it get them? Nothing (in a good way). You’re vulnerable now in lots of ways you don’t know. You’re really going to have to accept it because there is nothing anyone is doing to protect against this REAL vulnerability except distract potential victims. Go to McDonald’s every day – food there is really tasty.

- I am confident that Sendmail would be “secure enough” to users regardless of what was discovered and disclosed. Since we can’t change the past, we’ll never know. Regardless, for every SendMail out there, there are 10 other applications with vulnerabilities.

- Glad to see you can protect against one type of attack. If you want to keep track of sprintf() vulns, you go for it. If I can get the same result with another vuln, it doesn’t matter.

re: Disclosure – simply a smokescreen and completely out of the control of any individual (who is always the victim of the attack). To the extent people can control it, no disclosure is better. Even better is to not bother looking for another buffer overflow and (to answer your question) come up with techniques to stop all of them, regardless of whether we know about them or not.

@Pete – Do you have the same disdain for so-called responsible disclosure as you do for full and immediate disclosure?

If I understand your position correctly, you would rather the industry focus on preventative solutions rather than looking for or tracking vulnerabilities at all.

Robert

As for point (8): we “knew about” buffer overflows for over 7 years, but until individual buffer overflows began to be disclosed, virtually every piece of network software deployed on the Internet was vulnerable. That, also, is not a “suggestion”; it’s a fact, which you can verify in a bug database.

The fact that there isn’t a continuing stream of buffer overflow in (for example) Sendmail is another fact. It’s a direct result of discovery and disclosure (Sendmail vulnerabilities fixed after 3rd party disclosure outnumber those fixed internally).

We will never run out of vulnerabilities. But we WILL, for example, run out of stack overflows triggered by insecure usage of sprintf(). You are conflating those two facts in your syllogism about why “bugfinding” is pointless.

Regarding (8), I don’t have any evidence to the contrary so I definitely don’t dispute that point. However, maybe I missed your reasoning for using it in response to my question. I assumed you were saying that people were being compromised left and right yet nobody knew about it. If that is a bogus assumption, my mistake. In that case, if you are suggesting that for a 7 year period there weren’t any attacks going on, then I would be a very happy camper with that situation. Are you suggesting that 7 years without attacks is a bad thing or they really happened and nobody noticed?

Regarding my deceptiveness – I am happy to clarify any point I made above. I agree it is brief, but I am willing to explain myself if it would make things clearer. I am still looking for any evidence other than opinions that vulnerability research is a good idea and the benefits derived could not have come without it.

Regarding your “not linking” and my trolling of my own site… come again?

Just to clarify, I didn’t bring up this issue again, Rich Mogull did. I am happy to respond anytime it is brought up just to ensure that the other side of the argument is heard (it is lonely over here, yes indeed).