From owner-freebsd-questions@FreeBSD.ORG Tue Sep 15 19:29:18 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 24944106568D for ; Tue, 15 Sep 2009 19:29:18 +0000 (UTC) (envelope-from dave.list@pixelhammer.com) Received: from smtp2.tls.net (smtp2.tls.net [65.124.104.105]) by mx1.freebsd.org (Postfix) with ESMTP id D24478FC25 for ; Tue, 15 Sep 2009 19:29:17 +0000 (UTC) Received: (qmail 41342 invoked from network); 15 Sep 2009 19:29:17 -0000 Received: by simscan 1.2.3 ppid: 41317, pid: 41339, t: 0.2121s scanners: attach: 1.2.3 spam: 3.2.1 X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on smtp-2.tls.net X-Spam-Level: X-Spam-Status: No, score=0.2 required=7.0 tests=ALL_TRUSTED,TVD_RCVD_IP autolearn=disabled version=3.2.1 Received: from 64-184-8-63.bb.hrtc.net (HELO ?192.168.1.46?) (ldg@tls.net@64.184.8.63) by ssl-smtp2.tls.net with ESMTPA; 15 Sep 2009 19:29:16 -0000 Message-ID: <4AAFEAFB.9030603@pixelhammer.com> Date: Tue, 15 Sep 2009 15:28:59 -0400 From: DAve User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <4AAE95B2.5050409@sitpub.com> <20090915131829.0b0a0ab7.wmoran@potentialtech.com> <20090915141317.7a41b042@scorpio.seibercom.net> <200909152051.40695.mel.flynn+fbsd.questions@mailing.thruhere.net> <20090915151425.4b6ce6f2@scorpio.seibercom.net> In-Reply-To: <20090915151425.4b6ce6f2@scorpio.seibercom.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: reporter on deadline seeks comment about reported security bug in FreeBSD X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Sep 2009 19:29:18 -0000 Jerry wrote: > On Tue, 15 Sep 2009 20:51:40 +0200 > Mel Flynn wrote: > >> Please inform yourself properly before assuming you're right. Mozilla >> does not by default publish vulnerabilities before a fix is known. In >> some cases publishing has been delayed by months. The exception is >> when exploits are already in the wild and a work around is available, >> while a real fix will take more work. >> >> This is also why vulnerabilities are typically not disclosed till a >> fix is known, because it does not protect the typical user, but puts >> him in harms way, which is exactly what you don't want. >> >> In theory, if I know the details of this particular exploit, I can >> patch my 6.4 machines myself, but more realistically, if developers >> take all this time to come up with a solution that doesn't break >> functionality the chances that I and more casual users can do this >> are slim. Meanwhile, the exploit will be coded into the usual >> rootkits and internet scanners and casualties will be made. That >> doesn't help anyone. > > Assume that I have discovered a vulnerability in a widely used, or even > marginal for arguments sake, program. I now start to exploit that > vulnerability. Now assume that you are responsible for maintaining, > that program. Use any job description that suits you for this purpose. > Are you claiming that since it may take several months to fix, it is > better to let users be exploited rather than inform them that there is > an exploitable problem in said software? I fine that extremely > disturbing. > > As you can no doubt tell, I am not a believer in the "Ignorance is > bliss" theory. > I believe the point that others are trying to make is this. Your example requires that the exploit is known to the blackhats and in use currently. Their example assumes that exploit is only known to those who discovered it. This particular exploit is not believed to be known to the black hats, and not known to be in use currently. Is it better for an exploit to remain a secret and not is use, protecting those that may not get their systems patched in time (as the blackhats *will* most certainly put the exploit to use as soon as they are told about it). Or, let the exploit remain a secret until it is either fixed and a patch made available or discovered in use by blackhats. I think you are both right. If the exploit is not being used, keep it a secret and let the developers design a permanent fix. If the exploit is discovered publicly before the fix is out, warn everyone loudly and provide a workaround. I believe all software I am aware of handles exploits with that method. DAve -- "Posterity, you will know how much it cost the present generation to preserve your freedom. I hope you will make good use of it. If you do not, I shall repent in heaven that ever I took half the pains to preserve it." John Quincy Adams http://appleseedinfo.org