[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Security vulnerability process, and CVE-2012-0217


  • To: Ian Campbell <Ian.Campbell@xxxxxxxxxx>
  • From: Alan Cox <alan@xxxxxxxxxxxxxxxxxxx>
  • Date: Mon, 2 Jul 2012 16:13:50 +0100
  • Cc: George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Thomas Goirand <thomas@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>
  • Delivery-date: Mon, 02 Jul 2012 15:10:10 +0000
  • Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAFVBMVEWysKsSBQMIAwIZCwj///8wIhxoRDXH9QHCAAABeUlEQVQ4jaXTvW7DIBAAYCQTzz2hdq+rdg494ZmBeE5KYHZjm/d/hJ6NfzBJpp5kRb5PHJwvMPMk2L9As5Y9AmYRBL+HAyJKeOU5aHRhsAAvORQ+UEgAvgddj/lwAXndw2laEDqA4x6KEBhjYRCg9tBFCOuJFxg2OKegbWjbsRTk8PPhKPD7HcRxB7cqhgBRp9Dcqs+B8v4CQvFdqeot3Kov6hBUn0AJitrzY+sgUuiA8i0r7+B3AfqKcN6t8M6HtqQ+AOoELCikgQSbgabKaJW3kn5lBs47JSGDhhLKDUh1UMipwwinMYPTBuIBjEclSaGZUk9hDlTb5sUTYN2SFFQuPe4Gox1X0FZOufjgBiV1Vls7b+GvK3SU4wfmcGo9rPPQzgIabfj4TYQo15k3bTHX9RIw/kniir5YbtJF4jkFG+dsDK1IgE413zAthU/vR2HVMmFUPIHTvF6jWCpFaGw/A3qWgnbxpSm9MSmY5b3pM1gvNc/gQfwBsGwF0VCtxZgAAAAASUVORK5CYII=
  • List-id: Xen developer discussion <xen-devel.lists.xen.org>

> It also supposes that there would be some way to police this separation
> -- how could you tell if a software vendor had given unfair advantage to
> their friends, and how could you tell which one it was in order to
> "punish" them?

You've equally got to deal with the vendors whose employees decide to
tell their friends. Common sense will always apply.

> The same problem exists if you allow service providers but insist that a
> condition of membership is that they use the pre-disclosure period to
> "prepare but not deploy" (i.e. to keep their hats separate). Other than
> a suspicious wave of reboots across that providers infrastructure
> (attributed to "routine maintenance") how would you know?

The bad guys monitor this.

The other way you'll know is when blackhats observe a given provider is
immune to an exploit infeasibly fast. At which point that will slowly
become general knowledge.

Alan

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.