[NMLUG] Oops! Linux Bug Escapes Early

Matt Grommes nmlug@swcp.com
Fri, 30 Nov 2001 13:38:50 -0700


If my system gets hacked because $DISTRO is holding back on a fix, 
that's enough damage for me. If those 5 guys hack Amazon.com and get 30 
million people's credit card numbers that's enough damage for most 
people and not good for the community as a whole.

There are very few big hacks that go on that are not perpetrated by a 
single person. 1 guy with an exploit can do a heck of a lot of damage.

How is Redhat going to explain to a corporate customer that they held 
back a patch for that security hole that cost them millions of dollars 
"for the good of the community"? Security is not done for the good of 
anybody except the individual. If a distro company can't make a patch as 
fast another distro company, that's too bad for them. People will choose 
another distro company. If an admin can't apply a patch in time, too 
bad. The company will probably choose another admin. I'd love to be able 
to make sure that all my admin friends get the patches for security 
holes before the bad guys. Unfortunately I cannot afford to assume 
that's going to happen. I have to look out for my systems first.


Here's a good article by Bruce Schneier about Full Disclosure: 
http://www.counterpane.com/crypto-gram-0111.html. It's a good read for 
everybody interested in this topic.



Warner Losh wrote:

> In message <3C07D0BE.8060808@spinn.net> Matt Grommes writes:
> 
> You fail to realize that it is better, for the greater community, to
> keep things quiet if only 5 people know about it and are exploiting it
> until a solution is available than to broadcast it to the world.
> Those 5 people can do relatively little damage.  Allowing all $DISTRO
> to fix it then putting the PR push for people to upgrade is more
> effective.
> 
> Your blank and white worldview is good for usenet postings, but not
> good policy.
> 
> Warner
> ------------------------------------------------------
> To UNSUBSCRIBE send a message to nmlug-request@swcp.com
> with only the word unsubscribe in the body.  More
> information can be found at www.nmlug.org/info.html
> -----------------------------------------------------
> 
> 
> 


-- 

			--   Matt Grommes   --
"All these worlds are belong to you, except Europa. Take off no zigs there."

------------------------------------------------------
To UNSUBSCRIBE send a message to nmlug-request@swcp.com
with only the word unsubscribe in the body.  More
information can be found at www.nmlug.org/info.html
-----------------------------------------------------