From owner-freebsd-questions@FreeBSD.ORG Tue Sep 15 19:39:53 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5F4771065781 for ; Tue, 15 Sep 2009 19:39:53 +0000 (UTC) (envelope-from mel.flynn+fbsd.questions@mailing.thruhere.net) Received: from mailhub.rachie.is-a-geek.net (rachie.is-a-geek.net [66.230.99.27]) by mx1.freebsd.org (Postfix) with ESMTP id 2CE128FC18 for ; Tue, 15 Sep 2009 19:39:52 +0000 (UTC) Received: from smoochies.rachie.is-a-geek.net (mailhub.lan.rachie.is-a-geek.net [192.168.2.11]) by mailhub.rachie.is-a-geek.net (Postfix) with ESMTP id 302F27E818 for ; Tue, 15 Sep 2009 11:40:05 -0800 (AKDT) From: Mel Flynn To: freebsd-questions@freebsd.org Date: Tue, 15 Sep 2009 21:39:50 +0200 User-Agent: KMail/1.12.1 (FreeBSD/8.0-BETA4; KDE/4.3.1; i386; ; ) References: <4AAE95B2.5050409@sitpub.com> <200909152051.40695.mel.flynn+fbsd.questions@mailing.thruhere.net> <20090915151425.4b6ce6f2@scorpio.seibercom.net> In-Reply-To: <20090915151425.4b6ce6f2@scorpio.seibercom.net> MIME-Version: 1.0 Content-Type: Text/Plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <200909152139.50403.mel.flynn+fbsd.questions@mailing.thruhere.net> Subject: Re: reporter on deadline seeks comment about reported security bug in FreeBSD X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Sep 2009 19:39:53 -0000 On Tuesday 15 September 2009 21:14:25 Jerry wrote: > On Tue, 15 Sep 2009 20:51:40 +0200 > > Mel Flynn wrote: > > The exception is > > when exploits are already in the wild and a work around is available, > > while a real fix will take more work. > Assume that I have discovered a vulnerability in a widely used, or even > marginal for arguments sake, program. I now start to exploit that > vulnerability. Now assume that you are responsible for maintaining, > that program. Use any job description that suits you for this purpose. > Are you claiming that since it may take several months to fix, it is > better to let users be exploited rather than inform them that there is > an exploitable problem in said software? I fine that extremely > disturbing. Then I suggest you cancel your internet account(s). Also, it helps to read what people are writing. But for the corner case where you are the person reporting me this vulnerability, telling me you won't exploit it, then do it anyway, there is no guard in place, other then that sooner or later, you'll compromise a machine administered by someone able to retrace what happened and it'll come back to me and I'd move up the timetable, cook up a work around and publish the details. There is some level of trust between reporter and fixer, whether it be good or bad, it's simply a fact of life and not likely to change. -- Mel