Date: Tue, 15 Sep 2009 16:37:11 -0400 From: Jerry <gesbbb@yahoo.com> To: freebsd-questions@freebsd.org Subject: Re: reporter on deadline seeks comment about reported security bug in FreeBSD Message-ID: <20090915163711.406257a6@scorpio.seibercom.net> In-Reply-To: <4AAFEAFB.9030603@pixelhammer.com> References: <4AAE95B2.5050409@sitpub.com> <20090915131829.0b0a0ab7.wmoran@potentialtech.com> <20090915141317.7a41b042@scorpio.seibercom.net> <200909152051.40695.mel.flynn%2Bfbsd.questions@mailing.thruhere.net> <20090915151425.4b6ce6f2@scorpio.seibercom.net> <4AAFEAFB.9030603@pixelhammer.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 15 Sep 2009 15:28:59 -0400 DAve <dave.list@pixelhammer.com> wrote: > Jerry wrote: > > On Tue, 15 Sep 2009 20:51:40 +0200 > > Mel Flynn <mel.flynn+fbsd.questions@mailing.thruhere.net> wrote: > > > >> Please inform yourself properly before assuming you're right. > >> Mozilla does not by default publish vulnerabilities before a fix > >> is known. In some cases publishing has been delayed by months. The > >> exception is when exploits are already in the wild and a work > >> around is available, while a real fix will take more work. > >> > >> This is also why vulnerabilities are typically not disclosed till a > >> fix is known, because it does not protect the typical user, but > >> puts him in harms way, which is exactly what you don't want. > >> > >> In theory, if I know the details of this particular exploit, I can > >> patch my 6.4 machines myself, but more realistically, if developers > >> take all this time to come up with a solution that doesn't break > >> functionality the chances that I and more casual users can do this > >> are slim. Meanwhile, the exploit will be coded into the usual > >> rootkits and internet scanners and casualties will be made. That > >> doesn't help anyone. > > > > Assume that I have discovered a vulnerability in a widely used, or > > even marginal for arguments sake, program. I now start to exploit > > that vulnerability. Now assume that you are responsible for > > maintaining, that program. Use any job description that suits you > > for this purpose. Are you claiming that since it may take several > > months to fix, it is better to let users be exploited rather than > > inform them that there is an exploitable problem in said software? > > I fine that extremely disturbing. > > > > As you can no doubt tell, I am not a believer in the "Ignorance is > > bliss" theory. > > > > I believe the point that others are trying to make is this. Your > example requires that the exploit is known to the blackhats and in > use currently. Their example assumes that exploit is only known to > those who discovered it. > > This particular exploit is not believed to be known to the black > hats, and not known to be in use currently. > > Is it better for an exploit to remain a secret and not is use, > protecting those that may not get their systems patched in time (as > the blackhats *will* most certainly put the exploit to use as soon as > they are told about it). Or, let the exploit remain a secret until it > is either fixed and a patch made available or discovered in use by > blackhats. > > I think you are both right. If the exploit is not being used, keep it > a secret and let the developers design a permanent fix. If the > exploit is discovered publicly before the fix is out, warn everyone > loudly and provide a workaround. > > I believe all software I am aware of handles exploits with that > method. I am not aware of any infallible method of determining if an exploit is in use. By the time the exploit become common knowledge it is usually too late. Lacking same, I believe in the "For Warned is For Armed" policy. Waiting until someone is harmed is tantamount to being an accomplice to the act. -- Jerry gesbbb@yahoo.com Never buy from a rich salesman. Goldenstern
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090915163711.406257a6>