reporter on deadline seeks comment about reported security bug in FreeBSD

Wed Sep 16 15:27:58 UTC 2009

--On Wednesday, September 16, 2009 06:08:50 -0500 Jerry <gesbbb at yahoo.com> 
wrote:

>
> On Tue, 15 Sep 2009 23:47:10 -0700
> perryh at pluto.rain.com wrote:
>
>> Jerry <gesbbb at yahoo.com> wrote:
>> > Waiting until someone is harmed is tantamount to being an
>> > accomplice to the act.
>>
>> And providing details of a currently-undefendable vulnerability
>> to a black hat who did not previously know about it, thereby
>> enabling the black hat to perpetrate harm that would otherwise
>> not have occurred, isn't?
>
> The simple act of publishing the fact that a know exploit exists for a
> given program compromises nothing. Example:
>
> WARN: The following program(s) have known exploits.
>
> PROGRAM:         prog-name
> PROGRAM VERSION: 2.4
> OS:              FreeBSD-7.2+
> EXPLOIT:         Potential to render HD inaccessible
> PATCH:           NONE AVAILABLE
> SUGGESTION:      If prog-name is not imperative to system
>                  performance, remove it and consider using a similar
>                  product by another author.
>
> A simple solution that affords the end user the right to make an
> informed decision. I realize that governments, especially
> socialistic/fascists ones use the terms 'censorship' and 'secret' with
> the term 'For their own good' interchangeable. I would hate to see the
> open-source community, especially FBSD embracing that philosophy.
>

Are you really serious?  What you posted (your example) does absolutely no good 
for the average user.  What are you going to do?  Stop using the program?  And 
how can you possibly make an "informed decision" when you know nothing other 
than the fact that something is wrong?

OTOH, it's all an attacker needs to start digging around and successfully break 
in.

Think about this.  A guy wants to find a pot of gold.  He goes to a field and 
finds 12,000 pots.  Where does he start?  Along comes someone who believes in 
"freedom of speech" and says, "Well, I don't know where the gold is, but that 
pot over there is a good place to look.  I happen to know that it was put there 
recently and there was a lot of secrecy surrounding it."

Or an attacker approaches a seemingly impenetrable castle, trying to figure out 
how to defeat the army inside.  He knows he's going to have probe every area 
and lose many men in the process in order to find a weakness he can exploit.

Then one soldier, believing in "freedom" sends them a message that there's a 
weakness on the north face of the wall.  He doesn't tell them exactly where, 
but he's managed to focus their efforts on the area most likely to allow them 
to breach the wall and defeat the army inside, he's reduced the attacker's 
efforts by three fourths and reduced their losses as well.

You clearly don't understand the advantage that hackers have over the average 
user.

Rather than censorship, how the FreeBSD team handles issues like this is good 
stewardship.  They have a responsibility to the community to protect them. 
They do that by not irresponsibly trumpeting known weaknesses before a solution 
is available to the end users.

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson