[NMLUG] Oops! Linux Bug Escapes Early

Matt Grommes nmlug@swcp.com
Fri, 30 Nov 2001 11:32:30 -0700

<long post>

Committing a patch to a source tree and releasing that patch to people 
in the world for addition to a production system are different. I'm 
beginning to see some value in a modified "coordinated release" 
strategy. If somebody at $DISTRO finds a hole and writes a patch, right 
now the strategy is to hold the patch until everybody is ready. I don't 
agree with that because it assumes too much. What I agree with is if 
somebody at $DISTRO finds a hole, they let the other vendors know about 
it while they're working on a patch. If $DISTRO finishes a patch before 
others, I think they have a duty to their customers to release it then. 
The other distros have the info, they should be working hard on a patch 
also (or working jointly with $DISTRO).

My problem with the idea of a secret behind-the-scenes security policy 
is that like I say, you're assuming too much. You're assuming that 
nobody else has the exploit (unlikely), you're assuming nobody within 
the discovering organization is passing info to others (not too likely), 
you're assuming that only script kiddies use exploits (absolutely 
incorrect). I don't care if 1 or 1 million people have an exploit if 
that 1 person is going to use it to hack my system. Once 1 guy has an 
exploit they may use it sparingly to hack only certain systems and pass 
the info along to friends who will use it sparingly. Just because only 5 
guys in the world have the exploit doesn't mean it doesn't matter. The 
idea that a security hole isn't an issue until "everyone and their pet 
frog" has the exploit is wrong. If somebody at $DISTRO found an 
exploitable hole in their product, the probability that somebody else 
has found that hole is non-zero. That's the point of open source 
software. My systems are important enough to me that I'm going to assume 
that everybody in the world has point-and-click exploit tools for every 
root level security hole (the speed at which I saw CodeRed IIS exploit 
attempts hit my apache boxes after the last couple of holes were 
released validates my paranoia, those tools were ready before I had time 
to read my email that morning and definately before the hole was widely 
known). I choose not to assume.

Warner Losh wrote:

> In message <3C075FA7.17186.E04486@localhost> "Ken Long" writes:
> : Once a fix or patch is made available to us,  the information is public. 
> : How can the information be kept secret but still allow us to patch before 
> : the info goes public?
> By omitting the details of how to exploit it?  By making the change as
> a routine course of business w/o calling attention to it for a short
> period of time?
> : Chicken and egg?
> Not really.
> You are assuming that once the patch is committed to a tree that the
> whole world instantly knows all the implications of that patch and all
> bad people will immediately drop what they are doing to exploit it.
> This generally isn't the case.  The security advisory tends to do
> that.
> Keep in mind that I've been doing exactly this sort of thing for the
> past two years.  We work with people all the time to make sure that we
> quietly fix our system before their announcement of the problem so
> they can point to a fix or we can release our own FreeBSD specific
> announcement within a few hours of when they release theirs.  That way
> the whole world knows about the problem AND THE SOLUTION, rather than
> just a problem without a solution.
> Warner
> ------------------------------------------------------
> To UNSUBSCRIBE send a message to nmlug-request@swcp.com
> with only the word unsubscribe in the body.  More
> information can be found at www.nmlug.org/info.html
> -----------------------------------------------------


			--   Matt Grommes   --
"All these worlds are belong to you, except Europa. Take off no zigs there."

To UNSUBSCRIBE send a message to nmlug-request@swcp.com
with only the word unsubscribe in the body.  More
information can be found at www.nmlug.org/info.html