Date: Tue, 15 Sep 2009 20:51:40 +0200 From: Mel Flynn <mel.flynn+fbsd.questions@mailing.thruhere.net> To: freebsd-questions@freebsd.org Subject: Re: reporter on deadline seeks comment about reported security bug in FreeBSD Message-ID: <200909152051.40695.mel.flynn%2Bfbsd.questions@mailing.thruhere.net> In-Reply-To: <20090915141317.7a41b042@scorpio.seibercom.net> References: <4AAE95B2.5050409@sitpub.com> <20090915131829.0b0a0ab7.wmoran@potentialtech.com> <20090915141317.7a41b042@scorpio.seibercom.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday 15 September 2009 20:13:17 Jerry wrote: > On Tue, 15 Sep 2009 13:18:29 -0400 > > Bill Moran <wmoran@potentialtech.com> wrote: > > On Tue, 15 Sep 2009 13:03:50 -0400 > > > > Jerry <gesbbb@yahoo.com> wrote: > > > On Tue, 15 Sep 2009 11:13:31 -0400 > > > > > > Bill Moran <wmoran@potentialtech.com> wrote: > > > > In response to Jerry <gesbbb@yahoo.com>: > > > > > I usually discover security problems with updates I receive from > > > > > <http://www.us-cert.gov/>. Aren't FreeBSD security problems > > > > > reported to their site? If not, why? IMHO, keeping users in the > > > > > dark to known security problems is not a serviceable protocol. > > > > > > > > Because releasing security advisories before there is a fix > > > > available is not responsible use of the information, and (as is > > > > being discussed) the fix is still in the works. > > > > > > I disagree. If I have a medical problem, or what ever, I expect to > > > be informed of it. The fact that there is no known cure, fix, etc. > > > is immaterial, if in fact not grossly negligent. > > > > This is a stupid and non-relevant comparison. A better comparison > > would be if I realized that you'd left your car door unlocked in a > > less than safe neighborhood. Would you rather I told you discreetly, > > or just started shouting it out loud to the neighborhood? Wait, I > > know the answer, if I see _your_ car unlocked, I'll just start > > shouting. > > The fact is, that you do in fact notify me. Keeping important security > information secret benefits no one, except for possibly those > responsible for the problem to begin with who do not want the > knowledge of the problem to become public. A multitude of software, > such as Mozilla, publish known security holes in their software. > The ramifications of allowing a user to actively use a piece of > software when a known bug/exploit/etc. exists within it is grossly > negligent. Please inform yourself properly before assuming you're right. Mozilla does not by default publish vulnerabilities before a fix is known. In some cases publishing has been delayed by months. The exception is when exploits are already in the wild and a work around is available, while a real fix will take more work. This is also why vulnerabilities are typically not disclosed till a fix is known, because it does not protect the typical user, but puts him in harms way, which is exactly what you don't want. In theory, if I know the details of this particular exploit, I can patch my 6.4 machines myself, but more realistically, if developers take all this time to come up with a solution that doesn't break functionality the chances that I and more casual users can do this are slim. Meanwhile, the exploit will be coded into the usual rootkits and internet scanners and casualties will be made. That doesn't help anyone. -- Mel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200909152051.40695.mel.flynn%2Bfbsd.questions>