From owner-freebsd-questions@FreeBSD.ORG Tue Sep 15 19:14:27 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 37AEB1065676 for ; Tue, 15 Sep 2009 19:14:27 +0000 (UTC) (envelope-from gesbbb@yahoo.com) Received: from smtp103.prem.mail.ac4.yahoo.com (smtp103.prem.mail.ac4.yahoo.com [76.13.13.42]) by mx1.freebsd.org (Postfix) with SMTP id D18518FC12 for ; Tue, 15 Sep 2009 19:14:26 +0000 (UTC) Received: (qmail 48570 invoked from network); 15 Sep 2009 19:14:26 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Received:X-Yahoo-SMTP:X-YMail-OSG:X-Yahoo-Newman-Property:Received:Date:From:To:Subject:Message-ID:In-Reply-To:References:Reply-To:Organization:X-Mailer:Face:Mime-Version:Content-Type:Content-Transfer-Encoding; b=AgMGnxWrCDCEmJeOGUv55XfdM9k0Mcgp/MCNjGNxBaQPG6b1VTWpFqre348ai6SQSL46y6FtTaYq0stlBn3bOEWotNbKo/g3ZWmkGpTtLil9qEYxUMmbPQWZaJRvgllVfEF3mHlxQHOhLOxkXZw4j67NGw0UxqnBB2FI2XBrbq4= ; Received: from c-67-189-183-172.hsd1.ny.comcast.net (gesbbb@67.189.183.172 with login) by smtp103.prem.mail.ac4.yahoo.com with SMTP; 15 Sep 2009 12:14:26 -0700 PDT X-Yahoo-SMTP: yeAAMgKswBATCul4lSbCWspvTA-- X-YMail-OSG: 2sFy7OkVM1nDzrCBS.xhqv8d3kSrXylLR_01inwn4k2Rr6X75eur7Kw4dvkbLSQCEUbFiEDluuZ5aQix_PiCTIZ6AUFXA0Bwwaii7KcdrVdLfITGC85_du8HgJ0c3LuHse4OCIlq6MBhxyWA9wiqFSo7xK6k_QPSVHuV07CCsfJrRsIriRkI_orlZU.0SQjLGkarYVrGzfU2ypvkI8CeGcmyYbzVtJE01XbAMzIEGCJufwRLB72Rck69CMfR81lcUXNqtDYFZX9y0oWkqmKmynCZl4c2dqAYrZ5hc_ViGremV2m5W2bvcTvwhG7zF92kp4AH2qyccM9CdLsM69n00pRVhirLVNwcqZjjDErk_EuOHNfL5YehSW89JO0- X-Yahoo-Newman-Property: ymail-3 Received: from scorpio.seibercom.net (scorpio.seibercom.net [192.168.1.103]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: gesbbb@scorpio.seibercom.net) by scorpio.seibercom.net (Postfix) with ESMTPSA id D14822280B for ; Tue, 15 Sep 2009 15:14:25 -0400 (EDT) Date: Tue, 15 Sep 2009 15:14:25 -0400 From: Jerry To: freebsd-questions@freebsd.org Message-ID: <20090915151425.4b6ce6f2@scorpio.seibercom.net> In-Reply-To: <200909152051.40695.mel.flynn+fbsd.questions@mailing.thruhere.net> References: <4AAE95B2.5050409@sitpub.com> <20090915131829.0b0a0ab7.wmoran@potentialtech.com> <20090915141317.7a41b042@scorpio.seibercom.net> <200909152051.40695.mel.flynn+fbsd.questions@mailing.thruhere.net> Organization: seibercom.net X-Mailer: Claws Mail 3.7.2 (GTK+ 2.16.6; i386-portbld-freebsd7.2) Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAGFBMVEX+/v7++v6YOTrq8PCcuIX989UvOSj++v0BNCbpAAAAB3RJTUUHsQwfFzs7RBhzUQAAAhJJREFUOI1dU8GOqzAMNKIoV1bvwD1i0ysqrHplIdBrVSX7ATSbd03VVvn9tQNtQy0hjAdn7LED4AAcPtWm9RV+MPSfxhBLx9ajd6X/ngB6/mTwnRSZua7i7Ca+0ctZKo4Qmz+JY13X6I3nFZBxIYW1PbgfQ5RP8g0XlltEWGf3cV03joYpRnFbvYDKbXjZlXyyhEZA4lI+cN3NaVXE4VKjSwTExO10eTEkkJVqIAD5z0nUBQJluQDRSQjcrBiHAJxZlAH5CUMBMC7OcJ4LMQNnxhZ1HYPscMc6J4UlWRMNwzOpCcAHKSICd1EDn83abdREIbXsHkD1OinP1aCUCOEVRaa1lMcvywUWdYgk13JQUpYNKmvXQ8Kw5ML9YI5h8SakctBc7E/IYuLhYd/zZIk+1gM1vNweQBvHE0j+oYah3sMqAytQYlZk6+ANaaawJdu3OFzYGMZ3iGpa3qMlq9ZH0VZTgrCtw/ngdYkEIIpSbP1bWQAdFdX9vocBdkH2qVjVmuMu3gI5rjs814EUdrCZgWlPaxZZ3RiLFUtr+ud0PXwp2dnQSNXgePt6AZpBj6UMJ7VQkzN4utVeaSW1Dhn/kblGrKeMvNGnzwX4zuEDarYz1KdPtR60Gul0Gued+515SJXhCsl+Tx/3kY/UDvicPll9mfu50t3tvQ/thZpJYgeuwdSKNJ6tCD98MCgoxLDaPxbwqqwPWaWiAAAAAElFTkSuQmCC X-Face: "\j?x](l|]4p?-1Bf@!wN<&p=$.}^k-HgL}cJKbQZ3r#Ar]\%U(#6}'?<3s7%(%(gxJxxcR Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: reporter on deadline seeks comment about reported security bug in FreeBSD X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-questions@freebsd.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Sep 2009 19:14:27 -0000 On Tue, 15 Sep 2009 20:51:40 +0200 Mel Flynn wrote: > Please inform yourself properly before assuming you're right. Mozilla > does not by default publish vulnerabilities before a fix is known. In > some cases publishing has been delayed by months. The exception is > when exploits are already in the wild and a work around is available, > while a real fix will take more work. > > This is also why vulnerabilities are typically not disclosed till a > fix is known, because it does not protect the typical user, but puts > him in harms way, which is exactly what you don't want. > > In theory, if I know the details of this particular exploit, I can > patch my 6.4 machines myself, but more realistically, if developers > take all this time to come up with a solution that doesn't break > functionality the chances that I and more casual users can do this > are slim. Meanwhile, the exploit will be coded into the usual > rootkits and internet scanners and casualties will be made. That > doesn't help anyone. Assume that I have discovered a vulnerability in a widely used, or even marginal for arguments sake, program. I now start to exploit that vulnerability. Now assume that you are responsible for maintaining, that program. Use any job description that suits you for this purpose. Are you claiming that since it may take several months to fix, it is better to let users be exploited rather than inform them that there is an exploitable problem in said software? I fine that extremely disturbing. As you can no doubt tell, I am not a believer in the "Ignorance is bliss" theory. -- Jerry gesbbb@yahoo.com In the days of old, When Knights were bold, And women were too cautious; Oh, those gallant days, When women were women, And men were really obnoxious.