Puzzle 2: September 27, 2019

You discover a security flaw in the operating system on your company’s computer. The flaw enables any user to read any other user’s files, regardless of their protection. You have several choices: you can keep quiet and hope no-one else discovers the flaw, or tell the company, or tell the system vendor, or announce it on the Internet.

  1. Suppose an exploitation of the vulnerability could be prevented by proper system configuration. Which of the above courses of action would you take, and why?
  2. If an exploitation of the vulnerability could be detected (but not prevented) by system administrators, how would this change your answer to question 1?
  3. Now suppose no exploitation of the vulnerability can be detected or prevented. Would this change your answer, and if so, how?

UC Davis sigil
Matt Bishop
Office: 2209 Watershed Sciences
Phone: +1 (530) 752-8060
Email: mabishop@ucdavis.edu
ECS 153, Computer Security
Version of September 27, 2019 at 10:28AM

You can also obtain a PDF version of this.

Valid HTML 4.01 Transitional Built with BBEdit Built on a Macintosh