From owner-freebsd-security  Mon Jun 24 19: 0:24 2002
Delivered-To: freebsd-security@freebsd.org
Received: from gray.impulse.net (gray.impulse.net [207.154.64.174])
	by hub.freebsd.org (Postfix) with ESMTP
	id 9A55237B401; Mon, 24 Jun 2002 19:00:14 -0700 (PDT)
Received: by gray.impulse.net (Postfix, from userid 1000)
	id 3111237607; Mon, 24 Jun 2002 19:00:13 -0700 (PDT)
To: Theo de Raadt <deraadt@cvs.openbsd.org>
Cc: "Jacques A. Vidrine" <nectar@FreeBSD.ORG>,
	freebsd-security@FreeBSD.ORG
Subject: Re: Hogwash
References: <200206250111.g5P1BVLJ015666@cvs.openbsd.org>
From: Ted Cabeen <secabeen@pobox.com>
Date: 24 Jun 2002 19:00:13 -0700
In-Reply-To: Theo de Raadt's message of "Mon, 24 Jun 2002 19:11:30 -0600"
Message-ID: <87sn3c6rte.fsf@gray.impulse.net>
Lines: 37
User-Agent: Gnus/5.0807 (Gnus v5.8.7) XEmacs/21.1 (Cuyahoga Valley)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Theo de Raadt <deraadt@cvs.openbsd.org> writes:

> > I don't disagree that leaks happen.  That's Just the Way It Is.
> 
> Not this time.
> 
> > I'd
> > rather we had the information now to make wise choices about what to
> > do with deployed systems, custom hacks, and older-but-still-supported
> > releases --- knowing there is a possibility for `leakage' that grows
> > with time.
> 
> Ask your vendor.  And ask them to read the following (which I am
> re-posting since people appear not to have read it carefully enough),
> where I lay out very very very clearly what your choices and your
> vendor's choices are.  If you don't like those choices, turn it off.
> What more do you expect?  Ice cream and a pat on the head?  You've
> never had it better!  You get a warning days and days in advance, with
> no leak, and you shoot the messenger!  Bang!  As I said: Hogwash.

I for one, appreciate the early notification.  It allows me to upgrade
or firewall important machines.  That said, the initial warning was a
little vague.  Something that was clearer yet still provided little
information to the blackhats would have been better.  In particular, I
would have liked a more clear statement of the severity of the
problem.  From the original email it's not clear if the vulnerability
is root or user level, and whether or not it has been successfully
exploited yet.  Of course, it's possible that when the message was
written, that wasn't known yet, and if so then fine.  Regardless, I
hope that you will post further updates as you learn more about the
extent of the problem.

-- 
Ted Cabeen           http://www.pobox.com/~secabeen            ted@impulse.net 
Check Website or Keyserver for PGP/GPG Key BA0349D2         secabeen@pobox.com
"I have taken all knowledge to be my province." -F. Bacon  secabeen@cabeen.org
"Human kind cannot bear very much reality."-T.S.Eliot        cabeen@netcom.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message