From owner-freebsd-questions@FreeBSD.ORG Wed Sep 16 15:27:58 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 110EB106566B for ; Wed, 16 Sep 2009 15:27:58 +0000 (UTC) (envelope-from prvs=503da3aad=pschmehl_lists@tx.rr.com) Received: from ip-relay-002.utdallas.edu (ip-relay-002.utdallas.edu [129.110.20.112]) by mx1.freebsd.org (Postfix) with ESMTP id C99F48FC1D for ; Wed, 16 Sep 2009 15:27:57 +0000 (UTC) X-Group: RELAYLIST X-IronPort-AV: E=Sophos;i="4.44,398,1249275600"; d="scan'208";a="16789642" Received: from smtp3.utdallas.edu ([129.110.20.110]) by ip-relay-002.utdallas.edu with ESMTP; 16 Sep 2009 09:59:27 -0500 Received: from utd65257.utdallas.edu (utd65257.utdallas.edu [129.110.3.28]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp3.utdallas.edu (Postfix) with ESMTPSA id 4A0244EF4A for ; Wed, 16 Sep 2009 09:59:27 -0500 (CDT) Date: Wed, 16 Sep 2009 14:59:27 +0000 From: Paul Schmehl To: freebsd-questions@freebsd.org Message-ID: <19BF38262156A790CFBB927F@utd65257.utdallas.edu> In-Reply-To: <20090916070850.213b1dfa@scorpio.seibercom.net> References: <4AAE95B2.5050409@sitpub.com> <20090915131829.0b0a0ab7.wmoran@potentialtech.com> <20090915141317.7a41b042@scorpio.seibercom.net> <200909152051.40695.mel.flynn+fbsd.questions@mailing.thruhere.net> <20090915151425.4b6ce6f2@scorpio.seibercom.net> <4AAFEAFB.9030603@pixelhammer.com> <20090915163711.406257a6@scorpio.seibercom.net> <4ab089ee.pco85GKJ5xtY03wv%perryh@pluto.rain.com> <20090916070850.213b1dfa@scorpio.seibercom.net> X-Mailer: Mulberry/4.0.6 (Linux/x86) X-Munged-Reply-To: Figure it out MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Re: reporter on deadline seeks comment about reported security bug in FreeBSD X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Paul Schmehl List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Sep 2009 15:27:58 -0000 --On Wednesday, September 16, 2009 06:08:50 -0500 Jerry wrote: > > On Tue, 15 Sep 2009 23:47:10 -0700 > perryh@pluto.rain.com wrote: > >> Jerry wrote: >> > Waiting until someone is harmed is tantamount to being an >> > accomplice to the act. >> >> And providing details of a currently-undefendable vulnerability >> to a black hat who did not previously know about it, thereby >> enabling the black hat to perpetrate harm that would otherwise >> not have occurred, isn't? > > The simple act of publishing the fact that a know exploit exists for a > given program compromises nothing. Example: > > WARN: The following program(s) have known exploits. > > PROGRAM: prog-name > PROGRAM VERSION: 2.4 > OS: FreeBSD-7.2+ > EXPLOIT: Potential to render HD inaccessible > PATCH: NONE AVAILABLE > SUGGESTION: If prog-name is not imperative to system > performance, remove it and consider using a similar > product by another author. > > A simple solution that affords the end user the right to make an > informed decision. I realize that governments, especially > socialistic/fascists ones use the terms 'censorship' and 'secret' with > the term 'For their own good' interchangeable. I would hate to see the > open-source community, especially FBSD embracing that philosophy. > Are you really serious? What you posted (your example) does absolutely no good for the average user. What are you going to do? Stop using the program? And how can you possibly make an "informed decision" when you know nothing other than the fact that something is wrong? OTOH, it's all an attacker needs to start digging around and successfully break in. Think about this. A guy wants to find a pot of gold. He goes to a field and finds 12,000 pots. Where does he start? Along comes someone who believes in "freedom of speech" and says, "Well, I don't know where the gold is, but that pot over there is a good place to look. I happen to know that it was put there recently and there was a lot of secrecy surrounding it." Or an attacker approaches a seemingly impenetrable castle, trying to figure out how to defeat the army inside. He knows he's going to have probe every area and lose many men in the process in order to find a weakness he can exploit. Then one soldier, believing in "freedom" sends them a message that there's a weakness on the north face of the wall. He doesn't tell them exactly where, but he's managed to focus their efforts on the area most likely to allow them to breach the wall and defeat the army inside, he's reduced the attacker's efforts by three fourths and reduced their losses as well. You clearly don't understand the advantage that hackers have over the average user. Rather than censorship, how the FreeBSD team handles issues like this is good stewardship. They have a responsibility to the community to protect them. They do that by not irresponsibly trumpeting known weaknesses before a solution is available to the end users. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson