BIND update?
Wesley Shields
wxs at FreeBSD.org
Wed Jul 9 18:55:07 UTC 2008
On Wed, Jul 09, 2008 at 02:54:05PM -0400, Wesley Shields wrote:
> On Wed, Jul 09, 2008 at 11:33:25AM -0700, Chris Palmer wrote:
> > Wesley Shields writes:
> >
> > > In the security world there is a balance which must be maintained between
> > > providing information to consumers so that they may plan accordingly, and
> > > not providing too much information so that the attackers can write
> > > exploits; this is the sensitive nature of the information which often
> > > leads to opaque processes by security teams around the world.
> >
> > http://en.wikipedia.org/wiki/Kerckhoffs'_principle
> >
> > Malware authors create exploits based on information they gleaned by reverse
> > engineering the binary patches released by Microsoft. They are able to get
> > these exploits into the wild before everyone has even had a chance to apply
> > the patches, even though the patching is (semi-)automated.
>
> I'm well aware of that, as I have many friends who do this for a living
> (legitimate businesses). I'm also not sure how this applies since the
> project is open source - the fix is published at the time of the patch,
> so there's no reverse engineering to do. If anything this illustrates
> that patches should be applied in a timely manner in an open source
> project, since the window you are describing is effectively zero.
>
> > Not only is there no security through obscurity, there isn't even any
> > obscurity. :)
>
> The point is to not give hints about where in the code the problem lies
> while at least being able to give the consumers of FreeBSD a chance to
> plan around any potential bugs. Given the sensitive nature of the
> issue, and the fact that some things are under NDA, I'm not entirely
> sure it is a good idea. I'd like to see a more transparent process
> without causing any harm to it, but I'm not sure how to do that right
> now.
>
> Despite me wanting to see this happen I think these issues are too big
> to overcome without more thought. I'm considering this issue closed for
> now.
Oh, and as I've stated to Remko privately: I think the security team is
doing a good job. I, in no way, mean to suggest otherwise. I'm just
trying to allow the consumers of FreeBSD a bit of wiggle room with
regards to planning. ;)
-- WXS
More information about the freebsd-security
mailing list