Date: Mon, 16 Dec 1996 20:47:40 -0800 (PST) From: Steve Reid <steve@edmweb.com> To: Richard Wackerbarth <rkw@dataplex.net> Cc: Joakim Rastberg <jor@xinit.se>, security@freebsd.org Subject: Re: crontab security hole exploit Message-ID: <Pine.BSF.3.91.961216201723.191H-100000@bitbucket.edmweb.com> In-Reply-To: <l03010d00aedb15f6a17f@[208.2.87.4]>
next in thread | previous in thread | raw e-mail | index | archive | help
> My attitude is that it is better to have obscurity than having the exploit > readily available to a wide audience. I realize that the truly good > crackers can figure it out for themself. But there are many "children" who > will try something when it is handed to them. IMHO, we should at least give > the upper hand to the sysops and, if possible, provide the fix before the > attack becomes widespread. Consider: The SYN-flooding bug in TCP has been known about for _years_. When did OS vendors start including measures to strengthen the kernel against such attacks? Immediately after 2600 and Phrack published exploits. The OS vendors seem wait until those "children" get their hands on the exploits before they consider the holes important enough to fix. On the other hand: SYN flooding is a denial of service attack, and you _know_ when you've been hit. AFAIK, it never happened (except as an experiment) before the exploits were published, and when it started happening the OS vendors (even MS!) scrambled to the rescue. With buffer overruns and such, you may never know that you've been broken in to, so you want to get it fixed before the exploits start happening. I'm sure many such bugs are fixed quietly by the vendors, long before exploits are released. Also, does it really help much to fix crontab, when you can bet your bottom dollar that there are still security problems with sendmail? My personal feeling: You shouldn't post an exploit script publicly unless you have a fix, even if it's only a temporary fix until the vendors can release something better. Removing the suid bit from crontab is at worst a temporary inconvenience to your users, so IMHO that qualifies as a temporary fix. If you send a problem report to the vendor and weeks pass without results, then go ahead and post the exploit.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.961216201723.191H-100000>