reporter on deadline seeks comment about reported security bug
in FreeBSD
Mel Flynn
mel.flynn+fbsd.questions at mailing.thruhere.net
Tue Sep 15 18:51:43 UTC 2009
On Tuesday 15 September 2009 20:13:17 Jerry wrote:
> On Tue, 15 Sep 2009 13:18:29 -0400
>
> Bill Moran <wmoran at potentialtech.com> wrote:
> > On Tue, 15 Sep 2009 13:03:50 -0400
> >
> > Jerry <gesbbb at yahoo.com> wrote:
> > > On Tue, 15 Sep 2009 11:13:31 -0400
> > >
> > > Bill Moran <wmoran at potentialtech.com> wrote:
> > > > In response to Jerry <gesbbb at yahoo.com>:
> > > > > I usually discover security problems with updates I receive from
> > > > > <http://www.us-cert.gov/>. Aren't FreeBSD security problems
> > > > > reported to their site? If not, why? IMHO, keeping users in the
> > > > > dark to known security problems is not a serviceable protocol.
> > > >
> > > > Because releasing security advisories before there is a fix
> > > > available is not responsible use of the information, and (as is
> > > > being discussed) the fix is still in the works.
> > >
> > > I disagree. If I have a medical problem, or what ever, I expect to
> > > be informed of it. The fact that there is no known cure, fix, etc.
> > > is immaterial, if in fact not grossly negligent.
> >
> > This is a stupid and non-relevant comparison. A better comparison
> > would be if I realized that you'd left your car door unlocked in a
> > less than safe neighborhood. Would you rather I told you discreetly,
> > or just started shouting it out loud to the neighborhood? Wait, I
> > know the answer, if I see _your_ car unlocked, I'll just start
> > shouting.
>
> The fact is, that you do in fact notify me. Keeping important security
> information secret benefits no one, except for possibly those
> responsible for the problem to begin with who do not want the
> knowledge of the problem to become public. A multitude of software,
> such as Mozilla, publish known security holes in their software.
> The ramifications of allowing a user to actively use a piece of
> software when a known bug/exploit/etc. exists within it is grossly
> negligent.
Please inform yourself properly before assuming you're right. Mozilla does not
by default publish vulnerabilities before a fix is known. In some cases
publishing has been delayed by months. The exception is when exploits are
already in the wild and a work around is available, while a real fix will take
more work.
This is also why vulnerabilities are typically not disclosed till a fix is
known, because it does not protect the typical user, but puts him in harms
way, which is exactly what you don't want.
In theory, if I know the details of this particular exploit, I can patch my
6.4 machines myself, but more realistically, if developers take all this time
to come up with a solution that doesn't break functionality the chances that I
and more casual users can do this are slim. Meanwhile, the exploit will be
coded into the usual rootkits and internet scanners and casualties will be
made. That doesn't help anyone.
--
Mel
More information about the freebsd-questions
mailing list