From owner-freebsd-current Tue Feb 4 17:59:32 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id RAA11125 for current-outgoing; Tue, 4 Feb 1997 17:59:32 -0800 (PST) Received: from thelab.hub.org (hal-ns1-42.netcom.ca [207.181.94.106]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA11104 for ; Tue, 4 Feb 1997 17:59:25 -0800 (PST) Received: from thelab.hub.org (localhost [127.0.0.1]) by thelab.hub.org (8.8.4/8.8.2) with SMTP id VAA04402; Tue, 4 Feb 1997 21:43:18 -0400 (AST) Date: Tue, 4 Feb 1997 21:43:18 -0400 (AST) From: The Hermit Hacker Reply-To: chat@freebsd.org To: Karl Denninger cc: Poul-Henning Kamp , jkh@time.cdrom.com, current@freebsd.org Subject: Re: Question: 2.1.7? In-Reply-To: <199702050002.SAA05789@Jupiter.Mcs.Net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-current@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 4 Feb 1997, Karl Denninger wrote: > > >In other words, you don't like opposing points of view. > > > > We don't mind opposing views one bit. > > > > What we >do< mind is people who can >only< talk in extreemes and ultimatums. > > > > People who don't know why the middle road has to be found, because they > > see the world from the trench on one side of the road. > > When the patient is bleeding from the arteries, there is no time to talk > about middle ground. You do the triage first, THEN assess what and how to > take care of the underlying problem. > > The problem here is that Jordan refuses to admit that the patient is already > without heartbeat and bleeding to death on the table. > I sure am glad you aren't a doctor Karl...you are the only one in this argument so far that has pronounced the patient dead...would hate to be your patient, you'd be burying me alive :( > > You would get much more of your usually not entirely unreasonable > > suggestions through if you communicated them in a civilized manner > > rather than as a monkey on caffeine. > > I START being reasonable. When I'm dismissed out of hand and ignored on > something that is of extreme importance then its time to up the volume more > than a few notches. When the other party starts getting into the whole > "you're smoking crack" game then its time to give up on reasonable > discourse and decide if the issue is important enough to persue. > > In this case, it is. Therefore, I'm persuing it with all available means > at my disposal and will do so until its resolved. > So, we have one camp that, altho they most likely admit there is a problem, doesn't consider your solution acceptable...and there is you. > > As far as I know the FreeBSD project is in the process of finding out > > how to respond to this problem. > > The FIRST LEVEL response is to REMOVE the 2.1.6 executables from the FTP > servers and make a PUBLIC announcement that the vulnerability has been > found. > Geez, if every OS did that each time CERT put out an advisory concerning one hole or another, we'd never have anything to run on our machines... :) > The reason you do this is so that *MORE PEOPLE DO NOT GET HURT*. > Hrmmm...I'm personally running 3.0 on my home machine, so this bug may be fixed already, but I'm curious as to how many out there are going to "get hurt"...from what I've seen so far in this discussion (and sorry, I arrived late and overlooked some of it)...the problem seems to involve daemons that would require someone to have an account *on* my machine to start off with ("at" being the one that comes to mind)...since I'm the only one with an account on my home machine, I don't have any risk (again, i could have missed the discussion where a list of daemons with this bug was presented, and, if so...sorry) > > Being an volounteer, spare-time, unpaid > > project, we cannot just call everybody to attention and fix it in 10min > > flat. We need the planet to rotate a couple of times to get people > > mobilized. > > You're missing the point Paul. Nobody is demanding an instant fix. > > What I'm demanding is that you ADMIT IT IS BROKEN, and help stop people > from being burned by it. You can't save the world, but you CAN mitigate > further damage. You do this by WARNING PEOPLE and giving them fair notice > *BEFORE* their disks get formatted or moles inserted into their systems > which 99% of the admins will NEVER find. > > The problem is that the CORE team has REFUSED TO ADMIT ITS BROKEN and take > action to minimize the ONGOING damage. And yes, that means killing the > 2.1.6 CD shipments and removing the distribution from the FTP sites. > > RIGHT NOW. Not tomorrow, not in a week when you have a fix. > > NOW. > See comment above about CERT advisories...*shrug* If vendors started pulling releases each time a CERT advisory came out about a *hole* in the OS, we wouldn't have any OSs to run :( > If I have to call Walnut Creek tomorrow morning and plead my case with them > I will. I'll go to the wall on this, because I absolutely do not need the > problems on *MY* network that come from customers who attach known-to-be- > insecure machines and then come looking to us when they get hacked to little > bits. I also don't need the random disruptions that we end up with when > we're forced into picking up the pieces when others in the community get > screwed. > Ah, a good samaritan(sp?)... > > If this is not good enough for you you have three choices: > > 1. Pay somebody to fix it "right now!" (You can look in our > > web pages for people offering services of that kind.) > > 2. Do it yourself. > > Already did that. That's not what's under discussion here. What's under > discussion is your responsibility to the entire Internet community that uses > the software you publish. Not whether or not Karl Denninger got screwed and > how pissed he is over that event (I didn't GET screwed). > Ah, so you just wish to hear yourself rant over something that didn't affect you? I'm curious, but you state that you have already perform option 2...have you submitted said fix anywhere where I missed it? > I've spoken by voice with one of the rational core team members in the last > hour. I've given him some time to work the issues with the rest of you -- > and I note, HE asked for that time -- not me. But barring some kind of > RATIONAL resolution on this that I can see within the next two hours, > the announcements *ARE* going out to the general Internet community (at > roughly 8:00 PM tonight Chicago time). > Urmmm...ultimatums? If i don't get my way, I'm going to go tell my daddy? > Unlike you, Poul, I believe that if I find out about something like this > I owe it to the community *as one of its members* to disclose it so OTHER > PEOPLE DON'T GET HURT, or at least, so they know they're at risk. > Actually, if this is such a seriuos problem, have you tried submitting a CERT advisory to that effect? Not sure the procedure for doing so, but I imagine that that would be the proper route to take instead of throwing a temper tantrum, no? > The Core team has refused. That doesn't change my stance one bit -- it > only changes who's going to do the talking. > Woo hoo...Karl Denninger...the Knight in Shine Armor to the rescue...*groan* BTW...altho it doesn't really belong anywhere, can we move this to chat instead? Its a little more appropriate there...