From owner-freebsd-questions@FreeBSD.ORG Tue Sep 15 18:51:43 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9D1D2106566C for ; Tue, 15 Sep 2009 18:51:43 +0000 (UTC) (envelope-from mel.flynn+fbsd.questions@mailing.thruhere.net) Received: from mailhub.rachie.is-a-geek.net (rachie.is-a-geek.net [66.230.99.27]) by mx1.freebsd.org (Postfix) with ESMTP id 658D58FC2A for ; Tue, 15 Sep 2009 18:51:43 +0000 (UTC) Received: from smoochies.rachie.is-a-geek.net (mailhub.lan.rachie.is-a-geek.net [192.168.2.11]) by mailhub.rachie.is-a-geek.net (Postfix) with ESMTP id 821BD7E818 for ; Tue, 15 Sep 2009 10:51:55 -0800 (AKDT) From: Mel Flynn To: freebsd-questions@freebsd.org Date: Tue, 15 Sep 2009 20:51:40 +0200 User-Agent: KMail/1.12.1 (FreeBSD/8.0-BETA4; KDE/4.3.1; i386; ; ) References: <4AAE95B2.5050409@sitpub.com> <20090915131829.0b0a0ab7.wmoran@potentialtech.com> <20090915141317.7a41b042@scorpio.seibercom.net> In-Reply-To: <20090915141317.7a41b042@scorpio.seibercom.net> MIME-Version: 1.0 Content-Type: Text/Plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <200909152051.40695.mel.flynn+fbsd.questions@mailing.thruhere.net> Subject: Re: reporter on deadline seeks comment about reported security bug in FreeBSD X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Sep 2009 18:51:43 -0000 On Tuesday 15 September 2009 20:13:17 Jerry wrote: > On Tue, 15 Sep 2009 13:18:29 -0400 > > Bill Moran wrote: > > On Tue, 15 Sep 2009 13:03:50 -0400 > > > > Jerry wrote: > > > On Tue, 15 Sep 2009 11:13:31 -0400 > > > > > > Bill Moran wrote: > > > > In response to Jerry : > > > > > I usually discover security problems with updates I receive from > > > > > . Aren't FreeBSD security problems > > > > > reported to their site? If not, why? IMHO, keeping users in the > > > > > dark to known security problems is not a serviceable protocol. > > > > > > > > Because releasing security advisories before there is a fix > > > > available is not responsible use of the information, and (as is > > > > being discussed) the fix is still in the works. > > > > > > I disagree. If I have a medical problem, or what ever, I expect to > > > be informed of it. The fact that there is no known cure, fix, etc. > > > is immaterial, if in fact not grossly negligent. > > > > This is a stupid and non-relevant comparison. A better comparison > > would be if I realized that you'd left your car door unlocked in a > > less than safe neighborhood. Would you rather I told you discreetly, > > or just started shouting it out loud to the neighborhood? Wait, I > > know the answer, if I see _your_ car unlocked, I'll just start > > shouting. > > The fact is, that you do in fact notify me. Keeping important security > information secret benefits no one, except for possibly those > responsible for the problem to begin with who do not want the > knowledge of the problem to become public. A multitude of software, > such as Mozilla, publish known security holes in their software. > The ramifications of allowing a user to actively use a piece of > software when a known bug/exploit/etc. exists within it is grossly > negligent. Please inform yourself properly before assuming you're right. Mozilla does not by default publish vulnerabilities before a fix is known. In some cases publishing has been delayed by months. The exception is when exploits are already in the wild and a work around is available, while a real fix will take more work. This is also why vulnerabilities are typically not disclosed till a fix is known, because it does not protect the typical user, but puts him in harms way, which is exactly what you don't want. In theory, if I know the details of this particular exploit, I can patch my 6.4 machines myself, but more realistically, if developers take all this time to come up with a solution that doesn't break functionality the chances that I and more casual users can do this are slim. Meanwhile, the exploit will be coded into the usual rootkits and internet scanners and casualties will be made. That doesn't help anyone. -- Mel