Of Course Joanna is Right

There have been quite a lot of Xen-bashing for XSA-148. It's no doubt a cluster-fuck, a reflection of the sad state of the art of computer system security. 

As Ian pointed out in his blog post, we collectively choose features over security. Security only matters when there is a big fuck-up like HeartBleed, ShellShock or XSA-148.

What is even sadder is the attitude of media in general. Journalists actively hunt for headline-worth bugs. With the help of slightly technically incorrect writing that skews the true situation and some other implications along the way, they have many masterpieces that conclude the dismal state of computer system security. Not that they're wrong about the conclusion, just in my opinion they completely miss the important points. Remember VENOM? I didn't mention it in my list of big fuck-ups because it really wasn't anything serious except for its cool name. But media picked on that and started a spree nonetheless, just because the cool name fit right in their headline.

So what's wrong with the world? In short, we really really really don't care about security. The effort of a small group of people pales in front of the a world that cares more about cool new shiny things.

In my world view, this is a ever changing world. Software is under constant pressure to evolve to adapt to external environment. No software is perfect. There were, are and going to be major bugs in all seriously written software. 

If one thinks a piece of software is secure just because there is no public security advisories list, then he or she is delusional. Good luck with building things on top of that piece of software without investing significant amount of money performing security audit. And if the media picks on a piece of software because there is such a list, they are actually doing a disservice to the wider community. That drives projects to sweep problems under the carpet.

Coming back to XSA-148, there is no excuse on Xen project's part. That's a serious bug, period. What should be done next is to use the correct process to avoid such error again, and in similar situation, minimise the impact. Xen community constantly work on procedural improvements, learn from the past and make the future better. A constructive way of moving forward is for Xen community to engage with security researchers to improve the security of Xen. I look forward to that.