From owner-freebsd-security Mon Dec 16 10:54:25 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id KAA24359 for security-outgoing; Mon, 16 Dec 1996 10:54:25 -0800 (PST) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id KAA24343 for ; Mon, 16 Dec 1996 10:54:23 -0800 (PST) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.7.5/8.7.3) with UUCP id LAA19157; Mon, 16 Dec 1996 11:53:50 -0700 (MST) Received: from localhost (marcs@localhost) by alive.ampr.ab.ca (8.7.5/8.7.3) with SMTP id LAA09112; Mon, 16 Dec 1996 11:39:59 -0700 (MST) Date: Mon, 16 Dec 1996 11:39:58 -0700 (MST) From: Marc Slemko X-Sender: marcs@alive.ampr.ab.ca To: Richard Wackerbarth cc: Joakim Rastberg , security@freebsd.org Subject: Re: crontab security hole exploit In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Yes. Fixes should be posted before exploits. Give people a day or two to fix a hole. People who know what they are doing can make their own exploit once they know the problem exists, but if they wanted to, people like that could find the problem themself anyway. This particular hole is nothing new, unfortunately it slipped through the cracks in -stable. However, if a fix has been available there is nothing wrong with posting an exploit. People shouldn't need to see exploits to act on a known hole, I will bet that there are many people out there who file the hole as "something to get around to fixing sometime" until they see a pretty exploit that gives them root in 2 seconds. On Mon, 16 Dec 1996, Richard Wackerbarth wrote: > jor@xinit.se writes: > > >I would rather like the exploits be posted as they can be used > >to leverage the "management" to pay attention (background: I am working as > >a contractor to run some unix-boxes and although I whine about the low > >security *nothing* happens until I can show I get a #, then someone > >perhaps pulls the plug and pays for a more secure installation. My point > >beeing is that many companies, at least the ones I work for, IGNORES holes > >until someone have shown them the exploit) > > An interesting perspective. > My attitude is that it is better to have obscurity than having the exploit > readily available to a wide audience. I realize that the truly good > crackers can figure it out for themself. But there are many "children" who > will try something when it is handed to them. IMHO, we should at least give > the upper hand to the sysops and, if possible, provide the fix before the > attack becomes widespread. > >