Date: Wed, 16 Sep 2009 14:59:27 +0000 From: Paul Schmehl <pschmehl_lists@tx.rr.com> To: freebsd-questions@freebsd.org Subject: Re: reporter on deadline seeks comment about reported security bug in FreeBSD Message-ID: <19BF38262156A790CFBB927F@utd65257.utdallas.edu> In-Reply-To: <20090916070850.213b1dfa@scorpio.seibercom.net> References: <4AAE95B2.5050409@sitpub.com> <20090915131829.0b0a0ab7.wmoran@potentialtech.com> <20090915141317.7a41b042@scorpio.seibercom.net> <200909152051.40695.mel.flynn%2Bfbsd.questions@mailing.thruhere.net> <20090915151425.4b6ce6f2@scorpio.seibercom.net> <4AAFEAFB.9030603@pixelhammer.com> <20090915163711.406257a6@scorpio.seibercom.net> <4ab089ee.pco85GKJ5xtY03wv%perryh@pluto.rain.com> <20090916070850.213b1dfa@scorpio.seibercom.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--On Wednesday, September 16, 2009 06:08:50 -0500 Jerry <gesbbb@yahoo.com> wrote: > > On Tue, 15 Sep 2009 23:47:10 -0700 > perryh@pluto.rain.com wrote: > >> Jerry <gesbbb@yahoo.com> wrote: >> > Waiting until someone is harmed is tantamount to being an >> > accomplice to the act. >> >> And providing details of a currently-undefendable vulnerability >> to a black hat who did not previously know about it, thereby >> enabling the black hat to perpetrate harm that would otherwise >> not have occurred, isn't? > > The simple act of publishing the fact that a know exploit exists for a > given program compromises nothing. Example: > > WARN: The following program(s) have known exploits. > > PROGRAM: prog-name > PROGRAM VERSION: 2.4 > OS: FreeBSD-7.2+ > EXPLOIT: Potential to render HD inaccessible > PATCH: NONE AVAILABLE > SUGGESTION: If prog-name is not imperative to system > performance, remove it and consider using a similar > product by another author. > > A simple solution that affords the end user the right to make an > informed decision. I realize that governments, especially > socialistic/fascists ones use the terms 'censorship' and 'secret' with > the term 'For their own good' interchangeable. I would hate to see the > open-source community, especially FBSD embracing that philosophy. > Are you really serious? What you posted (your example) does absolutely no good for the average user. What are you going to do? Stop using the program? And how can you possibly make an "informed decision" when you know nothing other than the fact that something is wrong? OTOH, it's all an attacker needs to start digging around and successfully break in. Think about this. A guy wants to find a pot of gold. He goes to a field and finds 12,000 pots. Where does he start? Along comes someone who believes in "freedom of speech" and says, "Well, I don't know where the gold is, but that pot over there is a good place to look. I happen to know that it was put there recently and there was a lot of secrecy surrounding it." Or an attacker approaches a seemingly impenetrable castle, trying to figure out how to defeat the army inside. He knows he's going to have probe every area and lose many men in the process in order to find a weakness he can exploit. Then one soldier, believing in "freedom" sends them a message that there's a weakness on the north face of the wall. He doesn't tell them exactly where, but he's managed to focus their efforts on the area most likely to allow them to breach the wall and defeat the army inside, he's reduced the attacker's efforts by three fourths and reduced their losses as well. You clearly don't understand the advantage that hackers have over the average user. Rather than censorship, how the FreeBSD team handles issues like this is good stewardship. They have a responsibility to the community to protect them. They do that by not irresponsibly trumpeting known weaknesses before a solution is available to the end users. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19BF38262156A790CFBB927F>