[Dailydave] The old speak: Wassenaar, Google, and why Spender is right

[Michal Zalewski]

> and how does finding/fixing bugs change that? are you saying that p0
> efforts resulted (or have a chance to result) in a *complete* extermination
> of security bugs that affect a *single* layer at least? either that or
> your bug squashing doesn't matter (for security).

I am fairly confident that many core components that we depend on have
gotten a lot harder to compromise over the years; we are obviously not
at a point where there are no bugs left (and we're certainly not at a
point where optimal design practices or mitigation frameworks are
bulletproof, either), but at least subjectively, I feel that at any
given time, far fewer people would be able to compromise my web server
than in the 90s, and far fewer are likely to have a 0-day exploit for
my browser, compared to 2000s.

Some of this comes down to mitigations, sandboxing, and better design
practices - although their adoption by non-security engineers is
driven largely by the cold and hard evidence of failures. And in my
view, a lot of it also comes down just to relentless fuzzing and
manual code audits.

Now, of course, it's hard to truly quantify such opinions, and if you
think otherwise, I think it's quite fine to disagree :-)

>> I'm sure that neither you nor Brad are running 15-year old copies of
>> Apache and OpenSSH, or browsing the web with Netscape Navigator, and
>> then putting all your faith in containment frameworks.
>
> we don't run new software because of the security bugs fixed in them
> but because that's how the whole stack evolves

Interesting; so the knowledge of an RCE in OpenSSH would not factor
into your decision to stay on a particular version? That sounds like a
bold move.

/mz