Date: 24 Jun 2002 19:00:13 -0700 From: Ted Cabeen <secabeen@pobox.com> To: Theo de Raadt <deraadt@cvs.openbsd.org> Cc: "Jacques A. Vidrine" <nectar@FreeBSD.ORG>, freebsd-security@FreeBSD.ORG Subject: Re: Hogwash Message-ID: <87sn3c6rte.fsf@gray.impulse.net> In-Reply-To: Theo de Raadt's message of "Mon, 24 Jun 2002 19:11:30 -0600" References: <200206250111.g5P1BVLJ015666@cvs.openbsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Theo de Raadt <deraadt@cvs.openbsd.org> writes: > > I don't disagree that leaks happen. That's Just the Way It Is. > > Not this time. > > > I'd > > rather we had the information now to make wise choices about what to > > do with deployed systems, custom hacks, and older-but-still-supported > > releases --- knowing there is a possibility for `leakage' that grows > > with time. > > Ask your vendor. And ask them to read the following (which I am > re-posting since people appear not to have read it carefully enough), > where I lay out very very very clearly what your choices and your > vendor's choices are. If you don't like those choices, turn it off. > What more do you expect? Ice cream and a pat on the head? You've > never had it better! You get a warning days and days in advance, with > no leak, and you shoot the messenger! Bang! As I said: Hogwash. I for one, appreciate the early notification. It allows me to upgrade or firewall important machines. That said, the initial warning was a little vague. Something that was clearer yet still provided little information to the blackhats would have been better. In particular, I would have liked a more clear statement of the severity of the problem. From the original email it's not clear if the vulnerability is root or user level, and whether or not it has been successfully exploited yet. Of course, it's possible that when the message was written, that wasn't known yet, and if so then fine. Regardless, I hope that you will post further updates as you learn more about the extent of the problem. -- Ted Cabeen http://www.pobox.com/~secabeen ted@impulse.net Check Website or Keyserver for PGP/GPG Key BA0349D2 secabeen@pobox.com "I have taken all knowledge to be my province." -F. Bacon secabeen@cabeen.org "Human kind cannot bear very much reality."-T.S.Eliot cabeen@netcom.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87sn3c6rte.fsf>