Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 03 Feb 1997 14:20:19 +0100
From:      Poul-Henning Kamp <phk@critter.dk.tfs.com>
To:        tqbf@enteract.com
Cc:        dg@root.com, torbjorn@norway.eu.net, freebsd-security@FreeBSD.ORG
Subject:   Re: Critical Security Problem in 4.4BSD crt0 
Message-ID:  <809.854976019@critter.dk.tfs.com>
In-Reply-To: Your message of "Mon, 03 Feb 1997 06:45:46 CST." <199702031246.GAA24561@enteract.com> 

next in thread | previous in thread | raw e-mail | index | archive | help
In message <199702031246.GAA24561@enteract.com>, "Thomas H. Ptacek" writes:
>> There is no reason to provide free munitions to criminals.
>
>You're kidding yourself if you think the criminals don't have these
>munitions already. As previously stated, the vulnerability we're
>discussing is being actively exploited on the network. The case is
>probably the same with every other vulnerability you have, or will, find
>in your code. 

Some of them, but remember that there is also a great deal of misguided
youth out there.

>until the FreeBSD project gets someone like Mr. de
>Raadt to comb the entire source tree.
Rendering /sbin/restore broken as a result... :-(  I'm not impressed.

>FreeBSD project will probably not be the first people to become aware of
>security issues with FreeBSD code.

sometimes, sometimes not.

>> On the other hand, vulnerabilities that have been announced publically
>> we answer publically with the relevant information.
>
>freebsd-security@freebsd.org isn't considered "public announcement"?

I'm not really active in that end of it, and I'm sure we can use more
people for it :-)  So if you have some time...

>> No easy solution I'm afraid.
>
>Sure there is. Every security vulnerability you find in your code needs to
>be patched immediately by everyone running the vulnerable code. Nobody is
>going to know that their code is vulnerable unless you tell them.

This is unfortunately a lot easier said than done.  If you want to spear
head this effort, please say so, we can always use more manpower.

>Chances are, someone has already found the vulnerability you're looking at
>and is using it to comprimise hosts running the problematic code. 

Then again, chances are that they havn't, we will (usually) never know.

>If you don't intend to do that, the only recourse we have is to post
>problem details publically as soon as they are found, including
>exploitation details. This is the only way the problems will be taken
>seriously by "security incident response teams", and announcement from
>"security incident response teams" seem to be the only thing that ever
>prompts the FreeBSD team to release a security announcement. 

You know, it reminds me of the news a couple of days ago that students
in South Korea had used a 30000 item ireplaceable rock collection from
the universe as projectiles against police in the recent riots.

It's a lot easier to be a "rebel" than to be the "official party".

How about this:  If you find a hole, you send us a patch, and if we
do not fix it within a particular period (two weeks ?) you can post it
to the world ?

Wouldn't that seem more fair ?

I belive in fixing any problem we hear about, but I also belive in
not washing our laundry in public.  If I find a security hole, and
nobody has explited it yet, I still see no reason for me to yell
out over the entire world that it's there.  The fact that people
will upgrade their systems and as such close the hole next time
is good enough for me.

--
Poul-Henning Kamp           | phk@FreeBSD.ORG       FreeBSD Core-team.
http://www.freebsd.org/~phk | phk@login.dknet.dk    Private mailbox.
whois: [PHK]                | phk@tfs.com           TRW Financial Systems, Inc.
Power and ignorance is a disgusting cocktail.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?809.854976019>