[NMLUG] Oops! Linux Bug Escapes Early

C. Ulrich nmlug@swcp.com
Fri, 30 Nov 2001 13:39:54 -0700


I have read all of the other posts on this thread, but wanted to contribute a 
couple of things.

First, this issue of keeping exploits confidential vs releasing everything 
known about them has been around almost as long as there have been computer 
networks. In a very well-researched book (IMHO) called The Underground, 
several hackers of the early 80's tell that exploits to common operating 
systems were very carefully guarded by vendors and security professionals. 
Virtually nothing was made public. Fixes for the (known) exploits were 
supplied to users and most system administrators in the form of a software 
upgrade. Ergo, you really didn't know whether this new release added a couple 
new features, or fixed some gaping security hole. You just installed the 
upgrade and went about your merry way.

This type of policy, I feel, is what a lot of vendors and security 
professionals are trying to go back to. (Microsoft seems to be the biggest 
proponent of this, though I will stash the flames for another day.)

Anyway, back to the 80's. Flaws in this system began to show when one or two 
hackers would find emails or text documents detailing these "closely kept" 
exploits and revealed them to their comrades. Suddenly, hundreds of system 
administrators throughout the world would see attacks on their machines but 
were absolutely helpless to do anything about it at the moment because those 
with knowledge of the exploits kept it to themselves in the fear that the 
information would find its way to hackers. A case of defeating your own 
purpose.

These kinds of incidents began a movement among some system administrators 
and security professionals to have information of security holes distributed 
as widely as possible as as soon as possible. Vendors in particular obviously 
didn't like this since it meant that they would have to expend extra effort 
on getting fixes out on time but most importantly it would cast a shadow of 
doubt on their products every time an exploit was found. However that 
movement, as far as I can tell, succeeded for the most part.

My opinion is that the old "closed doors" policy of security information just 
can't work today for two primary reasons. 

1) The internet. Anybody who has spent enough time on this network knows as 
fact that information here travels at the speed of light and seems to know no 
obstacles. Thus, if you have a secret, you should never be discussing it 
anywhere near the internet nor with anybody who has access to it. And let's 
face it, that's pretty much infeasable.

2) Open source software is gaining incredible momentum. Keeping knowledge of 
exploits on OSS just goes totally against the grain of everything that OSS 
stands for. From a security standpoint, what good is open source software if 
you treat it the same way as closed source? I am deeply saddened by the 
vendors that tried to keep this wu-ftpd exploit under wraps until they had 
patches ready. Don't get me wrong, I DO see their rationale and I applaud 
their intentions. But I would MUCH rather know that the exploit exists so 
that I can take action until patches arrive than take the chance that no one 
outside the vendors and professional security community will find out about 
it and start attacking my systems before the information is officially 
released. (See reason #1.)

I know I've left out a lot of points to this argument but these are my 
general feelings on this issue. Also, my knowledge of security in the very 
early 80's could be a little off. I'm open to corrections.

--C. Ulrich

On Friday 30 November 2001 09:45, you wrote:
> If you're still using wuftpd on a production box you should stop. Now.
> It's had more remote exploits than any other ftpd I've ever seen.
> proftpd is a good one and there are many others. I'm not even sure why
> wuftpd is still used by the major distros, AFAIK it doesn't offer
> anything special.
>
> Also, I don't know how I feel about these "coordinated releases". To me,
> it just gives crackers more time to exploit the holes. It's a little too
> close to Microsoft's new plan to hide security info for 30 days (!) to
> give them a chance to do spin control and patch the hole. The idea that
> a hole hasn't been discovered until a vendor releases a patch is
> laughable. _Many_ security holes and exploit tools float around the
> underground community for a long time (years in some cases) before being
> discovered and patched by the vendors or white hat security people. Not
> to say that totally underground exploits are as widely used as public
> ones but keeping a patch in hiding doesn't allow me to patch my systems
> and is as useful as closed source software, which is to say not very.
> Like I say, I'm not 100% sure about how I feel about this yet so if
> somebody has some persuasive arguments for coordinated releases I'd like
> to hear them. (and yes, I'm trying to generate some discussion, the list
> has been somewhat quiet recently :) )
>
> Eric Krieger wrote:
> > danger, danger will robinson! red hat fans take notice.
> >
> > http://securityfocus.com/news/293
> >
> > eric
> >
> >
> > ------------------------------------------------------
> > To UNSUBSCRIBE send a message to nmlug-request@swcp.com
> > with only the word unsubscribe in the body.  More
> > information can be found at www.nmlug.org/info.html
> > -----------------------------------------------------
------------------------------------------------------
To UNSUBSCRIBE send a message to nmlug-request@swcp.com
with only the word unsubscribe in the body.  More
information can be found at www.nmlug.org/info.html
-----------------------------------------------------