[NMLUG] Oops! Linux Bug Escapes Early

Warner Losh nmlug@swcp.com
Fri, 30 Nov 2001 12:42:43 -0700


In message <3C07D0BE.8060808@spinn.net> Matt Grommes writes:
: My problem with the idea of a secret behind-the-scenes security policy 
: is that like I say, you're assuming too much. You're assuming that 
: nobody else has the exploit (unlikely), you're assuming nobody within 
: the discovering organization is passing info to others (not too likely), 
: you're assuming that only script kiddies use exploits (absolutely 
: incorrect). I don't care if 1 or 1 million people have an exploit if 
: that 1 person is going to use it to hack my system. Once 1 guy has an 
: exploit they may use it sparingly to hack only certain systems and pass 
: the info along to friends who will use it sparingly. Just because only 5 
: guys in the world have the exploit doesn't mean it doesn't matter. The 
: idea that a security hole isn't an issue until "everyone and their pet 
: frog" has the exploit is wrong. If somebody at $DISTRO found an 
: exploitable hole in their product, the probability that somebody else 
: has found that hole is non-zero. That's the point of open source 
: software. My systems are important enough to me that I'm going to assume 
: that everybody in the world has point-and-click exploit tools for every 
: root level security hole (the speed at which I saw CodeRed IIS exploit 
: attempts hit my apache boxes after the last couple of holes were 
: released validates my paranoia, those tools were ready before I had time 
: to read my email that morning and definately before the hole was widely 
: known). I choose not to assume.

You fail to realize that it is better, for the greater community, to
keep things quiet if only 5 people know about it and are exploiting it
until a solution is available than to broadcast it to the world.
Those 5 people can do relatively little damage.  Allowing all $DISTRO
to fix it then putting the PR push for people to upgrade is more
effective.

Your blank and white worldview is good for usenet postings, but not
good policy.

Warner
------------------------------------------------------
To UNSUBSCRIBE send a message to nmlug-request@swcp.com
with only the word unsubscribe in the body.  More
information can be found at www.nmlug.org/info.html
-----------------------------------------------------