Date: Sat, 18 May 1996 00:17:47 +0200 (MET DST) From: "Mikael Karpberg" <karpen@sea.campus.luth.se> To: freebsd-security@FreeBSD.org Subject: Re: very bad Message-ID: <199605172217.AAA00505@sea.campus.luth.se> In-Reply-To: <199605171621.KAA15772@natasha.scccc.com> from "Kevin J. Duling" at May 17, 96 10:21:57 am
next in thread | previous in thread | raw e-mail | index | archive | help
Hello! > > Hi, > > > > What IS very bad about this whole thing, isn't existance of this bug, > > as much as how easliy information about it can be obtained. Even if > > you do send patch along with info, there is still danger that someone, > > gets up earlier than root, and then ... (sweat dreams, root!) > > What might be a better solution is to announce that "There is a problem" > then provide the fix...but don't illustrate the problem. That way everyone > is immediately notified of the problem and a fix for it, but you don't have > a list of instructions for how to crack in. > > Personally, I prefer having the instructions, but it's not a good idea... > Exactly. I think too many here have been cheering on Chris for announcing the bug. Not that it was not a good thing he did, since it was allready out, on other lists. There is no such thing as a list where only "serious admins" will be on. First, it would probably have to be encrypted, or something. Second, it's not like a root is always a nice person. I'm a root on my private little machine on the campus net here, for example. Anyone on here with a PC is a root on a FreeBSD machine if he likes. A root could also just care for his system, and hack other peoples, trying to use their recourses, or whatever. In any case, they can mail from root on a machine and join the "secure list". Sending bugs you find ONLY to security-officer@freebsd.org enables him to fix a patch (quick one like the chmod in this case, or more drastic if needed) and mail to the list that there is a dangerous security hole and how to fix it. That way you can, if not stop, then at least slow down the guys that want to use the information to crack a system. And you still give the admins as much time to fix the hole as they get from a complete instruction on how to exploit it. Then, say two-three weeks later, you can post what the hole was about and what has been done, etc. Then we honest guys that are merely interested in the details for fun, still get to know them. The admins get a way to fix hole before crackers get to them though, and a safe list is not needed. Just my $0.02... /Mikael
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199605172217.AAA00505>