From owner-freebsd-security Mon Feb 3 05:19:52 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id FAA27966 for security-outgoing; Mon, 3 Feb 1997 05:19:52 -0800 (PST) Received: from tfs.com (tfs.com [140.145.250.1]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id FAA27961 for ; Mon, 3 Feb 1997 05:19:50 -0800 (PST) Received: from schizo.dk.tfs.com by tfs.com (smail3.1.28.1) with SMTP id m0vrOII-0003vnC; Mon, 3 Feb 97 05:18 PST Received: from critter.dk.tfs.com (critter.dk.tfs.com [140.145.230.252]) by schizo.dk.tfs.com (8.8.2/8.7.3) with ESMTP id OAA02560; Mon, 3 Feb 1997 14:18:43 +0100 (MET) Received: from critter.dk.tfs.com (localhost [127.0.0.1]) by critter.dk.tfs.com (8.8.2/8.8.2) with ESMTP id OAA00811; Mon, 3 Feb 1997 14:20:20 +0100 (MET) To: tqbf@enteract.com cc: dg@root.com, torbjorn@norway.eu.net, freebsd-security@FreeBSD.ORG Subject: Re: Critical Security Problem in 4.4BSD crt0 In-reply-to: Your message of "Mon, 03 Feb 1997 06:45:46 CST." <199702031246.GAA24561@enteract.com> Date: Mon, 03 Feb 1997 14:20:19 +0100 Message-ID: <809.854976019@critter.dk.tfs.com> From: Poul-Henning Kamp Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk In message <199702031246.GAA24561@enteract.com>, "Thomas H. Ptacek" writes: >> There is no reason to provide free munitions to criminals. > >You're kidding yourself if you think the criminals don't have these >munitions already. As previously stated, the vulnerability we're >discussing is being actively exploited on the network. The case is >probably the same with every other vulnerability you have, or will, find >in your code. Some of them, but remember that there is also a great deal of misguided youth out there. >until the FreeBSD project gets someone like Mr. de >Raadt to comb the entire source tree. Rendering /sbin/restore broken as a result... :-( I'm not impressed. >FreeBSD project will probably not be the first people to become aware of >security issues with FreeBSD code. sometimes, sometimes not. >> On the other hand, vulnerabilities that have been announced publically >> we answer publically with the relevant information. > >freebsd-security@freebsd.org isn't considered "public announcement"? I'm not really active in that end of it, and I'm sure we can use more people for it :-) So if you have some time... >> No easy solution I'm afraid. > >Sure there is. Every security vulnerability you find in your code needs to >be patched immediately by everyone running the vulnerable code. Nobody is >going to know that their code is vulnerable unless you tell them. This is unfortunately a lot easier said than done. If you want to spear head this effort, please say so, we can always use more manpower. >Chances are, someone has already found the vulnerability you're looking at >and is using it to comprimise hosts running the problematic code. Then again, chances are that they havn't, we will (usually) never know. >If you don't intend to do that, the only recourse we have is to post >problem details publically as soon as they are found, including >exploitation details. This is the only way the problems will be taken >seriously by "security incident response teams", and announcement from >"security incident response teams" seem to be the only thing that ever >prompts the FreeBSD team to release a security announcement. You know, it reminds me of the news a couple of days ago that students in South Korea had used a 30000 item ireplaceable rock collection from the universe as projectiles against police in the recent riots. It's a lot easier to be a "rebel" than to be the "official party". How about this: If you find a hole, you send us a patch, and if we do not fix it within a particular period (two weeks ?) you can post it to the world ? Wouldn't that seem more fair ? I belive in fixing any problem we hear about, but I also belive in not washing our laundry in public. If I find a security hole, and nobody has explited it yet, I still see no reason for me to yell out over the entire world that it's there. The fact that people will upgrade their systems and as such close the hole next time is good enough for me. -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@tfs.com TRW Financial Systems, Inc. Power and ignorance is a disgusting cocktail.