Date: Sat, 18 May 1996 09:00:44 +1000 From: Danny Smith <danny@auscert.org.au> To: invalid opcode <coredump@nervosa.com> Cc: Vladimir Jojic <vjojic@eunet.yu>, freebsd-security@freebsd.org Subject: Re: very bad Message-ID: <199605172300.JAA15072@amethyst.auscert.org.au> In-Reply-To: Your message of "Fri, 17 May 1996 09:52:26 MST." <Pine.BSF.3.91.960517095034.21586J-100000@onyx.nervosa.com>
next in thread | previous in thread | raw e-mail | index | archive | help
invalid opcode writes:
> On Fri, 17 May 1996, Danny Smith wrote:
>
> > Another unfortunate part is that it is approaching midnight in Australia
> > (and it is now past midnight in New Zealand) at the start of the weekend.
> > Posting vulnerbility information like this has not helped any system
> > administrators if they are all home for the weekend. All it has done
> > is increase the exposure of their systems to attack by more poeple.
>
> First off, I wouldn't have posted it had it been a secret little bug. But
> it wasn't, it was already out on 2 mailing lists which probably have
> close to 10,000 people on them, 50% of which are people who LOOK for
> these types of bugs so they can login to their accounts running FreeBSD
> and exploit it. At this point, the more exposure it gets, the more
> root@vulnerablehost will hear about it and fix it.
Again, the debate of full disclosure arises. I recognise that by mailing
on this again, I am inflaming the situation. For the record, I am not
against full disclosure, but it must be done correctly.
Posting full "how to" instructions late on a Friday night is not the
"correct" way to do it. I accept that the information was available
elsewhere initially. The problem more lay in the original posting
to the first list, rather than the last. I am not pointing fingers,
since the information is out now and the community must deal with that.
As suggested by others, once a suitable workaround can be developed,
then simply an acknowledgement of the problem and a supplied workaround
*at the same time* would suffice. There is so much security information
available that it is difficult to know what is real, what is false,
and what will correctly fix the problem. Everyone has an opinion.
Posting a notice like "There is a hole in FreeBSD. Make /bin/sh SUID to
fix the current problem" is obviously false information. Other subtle
code fixes presented to groups may contain either malicious fixes, or
may introduce further problems. How is the poor system administrator
supposed to "know" what is correct and what isn't? (the fix to this
problem obviously solves the problem - what does it break though?)
The other situation of "FreeBSD 2.1.0 is affected - I don't care about
anything else" is really just a selfish attitude. How many other
releases are affected? What about other versions of BSD? Are there
any other related programs? Is it better to fix the code, workaround
the problem, disable the service? What will I break? These questions
really need answers before alerting the wider community with full
"how to" instructions.
It is unfortunate that there are system administators that are not as
talented as many of the readers on this list. They need explicit
instructions for closing holes, and for binary-only operating systems,
these must often come from the vendor. Many people choose to use FreeBSD
and similar simply because you get the source code. So long as you
are able to use the source code, then you are way ahead of the rest.
Most are not in this enviable position though.
Enough of my wasting your time. Again, I apologise for inflaming the
situation. If anyone wants to continue this discussion off-line from
the mailing list, then I am happy to have a "sensible, mature"
discussion of some of the issues.
Danny Smith.
==========================================================================
Danny Smith | Fax: +61 7 3365 4477
AUSCERT | Phone: +61 7 3365 4417
c/- Prentice Centre | (answered during business hours)
The University of Queensland | (on call after hours for emergencies)
Qld. 4072. Australia | Internet: auscert@auscert.org.au
Standard Disclaimer: My opinions do not necessarily reflect the policy
of AUSCERT or The University of Queensland.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199605172300.JAA15072>