reporter on deadline seeks comment about reported security bug
in FreeBSD
Jerry
gesbbb at yahoo.com
Tue Sep 15 20:37:13 UTC 2009
On Tue, 15 Sep 2009 15:28:59 -0400
DAve <dave.list at pixelhammer.com> wrote:
> Jerry wrote:
> > On Tue, 15 Sep 2009 20:51:40 +0200
> > Mel Flynn <mel.flynn+fbsd.questions at mailing.thruhere.net> wrote:
> >
> >> Please inform yourself properly before assuming you're right.
> >> Mozilla does not by default publish vulnerabilities before a fix
> >> is known. In some cases publishing has been delayed by months. The
> >> exception is when exploits are already in the wild and a work
> >> around is available, while a real fix will take more work.
> >>
> >> This is also why vulnerabilities are typically not disclosed till a
> >> fix is known, because it does not protect the typical user, but
> >> puts him in harms way, which is exactly what you don't want.
> >>
> >> In theory, if I know the details of this particular exploit, I can
> >> patch my 6.4 machines myself, but more realistically, if developers
> >> take all this time to come up with a solution that doesn't break
> >> functionality the chances that I and more casual users can do this
> >> are slim. Meanwhile, the exploit will be coded into the usual
> >> rootkits and internet scanners and casualties will be made. That
> >> doesn't help anyone.
> >
> > Assume that I have discovered a vulnerability in a widely used, or
> > even marginal for arguments sake, program. I now start to exploit
> > that vulnerability. Now assume that you are responsible for
> > maintaining, that program. Use any job description that suits you
> > for this purpose. Are you claiming that since it may take several
> > months to fix, it is better to let users be exploited rather than
> > inform them that there is an exploitable problem in said software?
> > I fine that extremely disturbing.
> >
> > As you can no doubt tell, I am not a believer in the "Ignorance is
> > bliss" theory.
> >
>
> I believe the point that others are trying to make is this. Your
> example requires that the exploit is known to the blackhats and in
> use currently. Their example assumes that exploit is only known to
> those who discovered it.
>
> This particular exploit is not believed to be known to the black
> hats, and not known to be in use currently.
>
> Is it better for an exploit to remain a secret and not is use,
> protecting those that may not get their systems patched in time (as
> the blackhats *will* most certainly put the exploit to use as soon as
> they are told about it). Or, let the exploit remain a secret until it
> is either fixed and a patch made available or discovered in use by
> blackhats.
>
> I think you are both right. If the exploit is not being used, keep it
> a secret and let the developers design a permanent fix. If the
> exploit is discovered publicly before the fix is out, warn everyone
> loudly and provide a workaround.
>
> I believe all software I am aware of handles exploits with that
> method.
I am not aware of any infallible method of determining if an exploit is
in use. By the time the exploit become common knowledge it is usually
too late. Lacking same, I believe in the "For Warned is For Armed"
policy. Waiting until someone is harmed is tantamount to being an
accomplice to the act.
--
Jerry
gesbbb at yahoo.com
Never buy from a rich salesman.
Goldenstern
More information about the freebsd-questions
mailing list