Date: Tue, 4 Feb 1997 21:43:18 -0400 (AST) From: The Hermit Hacker <scrappy@hub.org> To: Karl Denninger <karl@Mcs.Net> Cc: Poul-Henning Kamp <phk@critter.dk.tfs.com>, jkh@time.cdrom.com, current@freebsd.org Subject: Re: Question: 2.1.7? Message-ID: <Pine.BSF.3.95.970204212809.18567o-100000@thelab.hub.org> In-Reply-To: <199702050002.SAA05789@Jupiter.Mcs.Net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 4 Feb 1997, Karl Denninger wrote:
> > >In other words, you don't like opposing points of view.
> >
> > We don't mind opposing views one bit.
> >
> > What we >do< mind is people who can >only< talk in extreemes and ultimatums.
> >
> > People who don't know why the middle road has to be found, because they
> > see the world from the trench on one side of the road.
>
> When the patient is bleeding from the arteries, there is no time to talk
> about middle ground. You do the triage first, THEN assess what and how to
> take care of the underlying problem.
>
> The problem here is that Jordan refuses to admit that the patient is already
> without heartbeat and bleeding to death on the table.
>
I sure am glad you aren't a doctor Karl...you are the only one
in this argument so far that has pronounced the patient dead...would hate
to be your patient, you'd be burying me alive :(
> > You would get much more of your usually not entirely unreasonable
> > suggestions through if you communicated them in a civilized manner
> > rather than as a monkey on caffeine.
>
> I START being reasonable. When I'm dismissed out of hand and ignored on
> something that is of extreme importance then its time to up the volume more
> than a few notches. When the other party starts getting into the whole
> "you're smoking crack" game then its time to give up on reasonable
> discourse and decide if the issue is important enough to persue.
>
> In this case, it is. Therefore, I'm persuing it with all available means
> at my disposal and will do so until its resolved.
>
So, we have one camp that, altho they most likely admit there is
a problem, doesn't consider your solution acceptable...and there is you.
> > As far as I know the FreeBSD project is in the process of finding out
> > how to respond to this problem.
>
> The FIRST LEVEL response is to REMOVE the 2.1.6 executables from the FTP
> servers and make a PUBLIC announcement that the vulnerability has been
> found.
>
Geez, if every OS did that each time CERT put out an advisory
concerning one hole or another, we'd never have anything to run on our
machines... :)
> The reason you do this is so that *MORE PEOPLE DO NOT GET HURT*.
>
Hrmmm...I'm personally running 3.0 on my home machine, so this
bug may be fixed already, but I'm curious as to how many out there are
going to "get hurt"...from what I've seen so far in this discussion (and
sorry, I arrived late and overlooked some of it)...the problem seems to
involve daemons that would require someone to have an account *on* my machine
to start off with ("at" being the one that comes to mind)...since I'm the
only one with an account on my home machine, I don't have any risk (again,
i could have missed the discussion where a list of daemons with this bug
was presented, and, if so...sorry)
> > Being an volounteer, spare-time, unpaid
> > project, we cannot just call everybody to attention and fix it in 10min
> > flat. We need the planet to rotate a couple of times to get people
> > mobilized.
>
> You're missing the point Paul. Nobody is demanding an instant fix.
>
> What I'm demanding is that you ADMIT IT IS BROKEN, and help stop people
> from being burned by it. You can't save the world, but you CAN mitigate
> further damage. You do this by WARNING PEOPLE and giving them fair notice
> *BEFORE* their disks get formatted or moles inserted into their systems
> which 99% of the admins will NEVER find.
>
> The problem is that the CORE team has REFUSED TO ADMIT ITS BROKEN and take
> action to minimize the ONGOING damage. And yes, that means killing the
> 2.1.6 CD shipments and removing the distribution from the FTP sites.
>
> RIGHT NOW. Not tomorrow, not in a week when you have a fix.
>
> NOW.
>
See comment above about CERT advisories...*shrug* If vendors
started pulling releases each time a CERT advisory came out about a
*hole* in the OS, we wouldn't have any OSs to run :(
> If I have to call Walnut Creek tomorrow morning and plead my case with them
> I will. I'll go to the wall on this, because I absolutely do not need the
> problems on *MY* network that come from customers who attach known-to-be-
> insecure machines and then come looking to us when they get hacked to little
> bits. I also don't need the random disruptions that we end up with when
> we're forced into picking up the pieces when others in the community get
> screwed.
>
Ah, a good samaritan(sp?)...
> > If this is not good enough for you you have three choices:
> > 1. Pay somebody to fix it "right now!" (You can look in our
> > web pages for people offering services of that kind.)
> > 2. Do it yourself.
>
> Already did that. That's not what's under discussion here. What's under
> discussion is your responsibility to the entire Internet community that uses
> the software you publish. Not whether or not Karl Denninger got screwed and
> how pissed he is over that event (I didn't GET screwed).
>
Ah, so you just wish to hear yourself rant over something that
didn't affect you? I'm curious, but you state that you have already
perform option 2...have you submitted said fix anywhere where I missed
it?
> I've spoken by voice with one of the rational core team members in the last
> hour. I've given him some time to work the issues with the rest of you --
> and I note, HE asked for that time -- not me. But barring some kind of
> RATIONAL resolution on this that I can see within the next two hours,
> the announcements *ARE* going out to the general Internet community (at
> roughly 8:00 PM tonight Chicago time).
>
Urmmm...ultimatums? If i don't get my way, I'm going to go
tell my daddy?
> Unlike you, Poul, I believe that if I find out about something like this
> I owe it to the community *as one of its members* to disclose it so OTHER
> PEOPLE DON'T GET HURT, or at least, so they know they're at risk.
>
Actually, if this is such a seriuos problem, have you tried
submitting a CERT advisory to that effect? Not sure the procedure for
doing so, but I imagine that that would be the proper route to take
instead of throwing a temper tantrum, no?
> The Core team has refused. That doesn't change my stance one bit -- it
> only changes who's going to do the talking.
>
Woo hoo...Karl Denninger...the Knight in Shine Armor to the
rescue...*groan*
BTW...altho it doesn't really belong anywhere, can we move
this to chat instead? Its a little more appropriate there...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.970204212809.18567o-100000>