From owner-freebsd-security  Mon Jun 24 21:26: 6 2002
Delivered-To: freebsd-security@freebsd.org
Received: from zephir.primus.ca (mail.tor.primus.ca [216.254.136.21])
	by hub.freebsd.org (Postfix) with ESMTP
	id A420637B401; Mon, 24 Jun 2002 21:25:59 -0700 (PDT)
Received: from dialin-142-217.hamilton.primus.ca ([209.90.142.217])
	by zephir.primus.ca with esmtp (Exim 3.33 #16)
	id 17Mhtp-00075W-0A; Tue, 25 Jun 2002 00:25:53 -0400
Date: Tue, 25 Jun 2002 00:25:47 -0400 (EDT)
From: Jason Hunt <jhunt@lynden.on.ca>
X-X-Sender: leth@lethargic.dyndns.org
To: freebsd-security@FreeBSD.ORG
Cc: Theo de Raadt <deraadt@cvs.openbsd.org>,
	Sean Kelly <smkelly@zombie.org>, Ted Cabeen <secabeen@pobox.com>,
	"Jacques A. Vidrine" <nectar@FreeBSD.ORG>
Subject: Re: Hogwash 
In-Reply-To: <200206250332.g5P3WQLJ024062@cvs.openbsd.org>
Message-ID: <20020625000308.S61629-100000@lethargic.dyndns.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Mon, 24 Jun 2002, Theo de Raadt wrote:

> This one is clearly different.  We have a tool which can avoid people being
> holed, without having to publish a patch.
>
> If you don't understand that, please go back and study the situation more.
>
> By holding this information back for a few more days, we are
> permitting a very important protocol to be upgraded in an immune way,
> OR YOU CAN TURN IT OFF NOW.
>

By "tool", you mean a workaround, correct?

Does this exception to full disclosures include all rootable exploits?

Is it to be implied that a full disclosure becomes a reality once a patch
is available?

I for one respect what Theo does, but this whole thing seems kind of
hypocritical.  Then again, everyone is once in a while.  So be it.

Also, this talk of a trojan horse or whatever sounds like "hogwash".

From what I've seen, I think people are getting "scared" into upgrading
and using privsep.  That's not necessarily a bad thing, it just seems kind
of silly that people have to be scared in order to take security
seriously.

My two cents.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message