Discovering 44 Security Holes Doesn't Make the Grade

What if you were taking a computer science course and a primary requirement is that you must discover 10 new security holes or you won't get a passing grade. Could you do it?  Hard to say, right? 

The requirement is reality for a body of students taking
D.J. Bernstein 's class entitled "MCS 494: Unix Security Holes."

According to a post on the Bugtraq mailing list (thanks to Thor Larholm at PivX Solutions) there are 25 students in the class and all totalled they have discovered
44 new security holes in Unix platforms. Doing the math, that's about 206 discoveries short if everyone were to meet the passing requirements. At least one student said "After 300 hours of work and an A average on the exams, I expect to fail the course."

Nevertheless, finding 44 holes in Unix is quite an accomplishment and it does lead to more secure operating systems. Still somehow I find it troubling that the professor has made the assumption that there are 250 holes in Unix platforms for his students to discover.

How could he expect that to be true? It might be true, but what if it isn't? Then students fail the course! And if that turned out to be the case then who would have really failed?

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.