From owner-freebsd-questions@FreeBSD.ORG Tue Sep 15 20:37:13 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B781D1065670 for ; Tue, 15 Sep 2009 20:37:13 +0000 (UTC) (envelope-from gesbbb@yahoo.com) Received: from smtp103.prem.mail.ac4.yahoo.com (smtp103.prem.mail.ac4.yahoo.com [76.13.13.42]) by mx1.freebsd.org (Postfix) with SMTP id 55D068FC17 for ; Tue, 15 Sep 2009 20:37:13 +0000 (UTC) Received: (qmail 75057 invoked from network); 15 Sep 2009 20:37:12 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Received:X-Yahoo-SMTP:X-YMail-OSG:X-Yahoo-Newman-Property:Received:Date:From:To:Subject:Message-ID:In-Reply-To:References:Reply-To:Organization:X-Mailer:Face:Mime-Version:Content-Type:Content-Transfer-Encoding; b=ZvnW3F4OQFHT6CTcnqO5czim24aazqHObK15AzfYij32+4uZyGomsNSRdie4RNJLD4LwZn2RwGa0ScWVXXSLJHdtBNH2N8kmoRPt88THOSfwdxUax+qXXRcSNyxiulT2bhGzZn/so48ZoUzw4VhEP5P13q61IGZy4dhBGXx0xa0= ; Received: from c-67-189-183-172.hsd1.ny.comcast.net (gesbbb@67.189.183.172 with login) by smtp103.prem.mail.ac4.yahoo.com with SMTP; 15 Sep 2009 13:37:12 -0700 PDT X-Yahoo-SMTP: yeAAMgKswBATCul4lSbCWspvTA-- X-YMail-OSG: y1t7deUVM1nn6MEE_3ZuXFzczKN7WBilk8IulpcDDEXgm44tWf24VntcrVOSMgHZa0X57mI.MSNUty3TU3diaG05E2LvWhtqYLE0xAMXUYhI3m667Vt5isxPxnr0InuQ6L.beAD00TsISNlsdoLPDop15QxcJyqLsBPU86TLiBW_04YGDMtxokki9uufyhOngGlEsGUCqLNGlpkv4RWE69wNPDggSCBvEXF509PybDx3UFUGB0yAhktQpfPs8xO9OaoZjF1DcG78BNHuTT.IGcXFObKRSrHv6eYCBZzmqkDwFRRns7Br6boHcLSIYYiWkGWEria.Qkk8Sty6yushc6LsQYs_feRA0qY4Qt9OQaYwFSpXiY6rxuzKHA-- X-Yahoo-Newman-Property: ymail-3 Received: from scorpio.seibercom.net (scorpio.seibercom.net [192.168.1.103]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: gesbbb@scorpio.seibercom.net) by scorpio.seibercom.net (Postfix) with ESMTPSA id D4BCE22849 for ; Tue, 15 Sep 2009 16:37:11 -0400 (EDT) Date: Tue, 15 Sep 2009 16:37:11 -0400 From: Jerry To: freebsd-questions@freebsd.org Message-ID: <20090915163711.406257a6@scorpio.seibercom.net> In-Reply-To: <4AAFEAFB.9030603@pixelhammer.com> References: <4AAE95B2.5050409@sitpub.com> <20090915131829.0b0a0ab7.wmoran@potentialtech.com> <20090915141317.7a41b042@scorpio.seibercom.net> <200909152051.40695.mel.flynn+fbsd.questions@mailing.thruhere.net> <20090915151425.4b6ce6f2@scorpio.seibercom.net> <4AAFEAFB.9030603@pixelhammer.com> Organization: seibercom.net X-Mailer: Claws Mail 3.7.2 (GTK+ 2.16.6; i386-portbld-freebsd7.2) Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAGFBMVEX+/v7++v6YOTrq8PCcuIX989UvOSj++v0BNCbpAAAAB3RJTUUHsQwfFzs7RBhzUQAAAhJJREFUOI1dU8GOqzAMNKIoV1bvwD1i0ysqrHplIdBrVSX7ATSbd03VVvn9tQNtQy0hjAdn7LED4AAcPtWm9RV+MPSfxhBLx9ajd6X/ngB6/mTwnRSZua7i7Ca+0ctZKo4Qmz+JY13X6I3nFZBxIYW1PbgfQ5RP8g0XlltEWGf3cV03joYpRnFbvYDKbXjZlXyyhEZA4lI+cN3NaVXE4VKjSwTExO10eTEkkJVqIAD5z0nUBQJluQDRSQjcrBiHAJxZlAH5CUMBMC7OcJ4LMQNnxhZ1HYPscMc6J4UlWRMNwzOpCcAHKSICd1EDn83abdREIbXsHkD1OinP1aCUCOEVRaa1lMcvywUWdYgk13JQUpYNKmvXQ8Kw5ML9YI5h8SakctBc7E/IYuLhYd/zZIk+1gM1vNweQBvHE0j+oYah3sMqAytQYlZk6+ANaaawJdu3OFzYGMZ3iGpa3qMlq9ZH0VZTgrCtw/ngdYkEIIpSbP1bWQAdFdX9vocBdkH2qVjVmuMu3gI5rjs814EUdrCZgWlPaxZZ3RiLFUtr+ud0PXwp2dnQSNXgePt6AZpBj6UMJ7VQkzN4utVeaSW1Dhn/kblGrKeMvNGnzwX4zuEDarYz1KdPtR60Gul0Gued+515SJXhCsl+Tx/3kY/UDvicPll9mfu50t3tvQ/thZpJYgeuwdSKNJ6tCD98MCgoxLDaPxbwqqwPWaWiAAAAAElFTkSuQmCC X-Face: "\j?x](l|]4p?-1Bf@!wN<&p=$.}^k-HgL}cJKbQZ3r#Ar]\%U(#6}'?<3s7%(%(gxJxxcR Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: reporter on deadline seeks comment about reported security bug in FreeBSD X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-questions@freebsd.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Sep 2009 20:37:13 -0000 On Tue, 15 Sep 2009 15:28:59 -0400 DAve wrote: > Jerry wrote: > > On Tue, 15 Sep 2009 20:51:40 +0200 > > Mel Flynn wrote: > > > >> Please inform yourself properly before assuming you're right. > >> Mozilla does not by default publish vulnerabilities before a fix > >> is known. In some cases publishing has been delayed by months. The > >> exception is when exploits are already in the wild and a work > >> around is available, while a real fix will take more work. > >> > >> This is also why vulnerabilities are typically not disclosed till a > >> fix is known, because it does not protect the typical user, but > >> puts him in harms way, which is exactly what you don't want. > >> > >> In theory, if I know the details of this particular exploit, I can > >> patch my 6.4 machines myself, but more realistically, if developers > >> take all this time to come up with a solution that doesn't break > >> functionality the chances that I and more casual users can do this > >> are slim. Meanwhile, the exploit will be coded into the usual > >> rootkits and internet scanners and casualties will be made. That > >> doesn't help anyone. > > > > Assume that I have discovered a vulnerability in a widely used, or > > even marginal for arguments sake, program. I now start to exploit > > that vulnerability. Now assume that you are responsible for > > maintaining, that program. Use any job description that suits you > > for this purpose. Are you claiming that since it may take several > > months to fix, it is better to let users be exploited rather than > > inform them that there is an exploitable problem in said software? > > I fine that extremely disturbing. > > > > As you can no doubt tell, I am not a believer in the "Ignorance is > > bliss" theory. > > > > I believe the point that others are trying to make is this. Your > example requires that the exploit is known to the blackhats and in > use currently. Their example assumes that exploit is only known to > those who discovered it. > > This particular exploit is not believed to be known to the black > hats, and not known to be in use currently. > > Is it better for an exploit to remain a secret and not is use, > protecting those that may not get their systems patched in time (as > the blackhats *will* most certainly put the exploit to use as soon as > they are told about it). Or, let the exploit remain a secret until it > is either fixed and a patch made available or discovered in use by > blackhats. > > I think you are both right. If the exploit is not being used, keep it > a secret and let the developers design a permanent fix. If the > exploit is discovered publicly before the fix is out, warn everyone > loudly and provide a workaround. > > I believe all software I am aware of handles exploits with that > method. I am not aware of any infallible method of determining if an exploit is in use. By the time the exploit become common knowledge it is usually too late. Lacking same, I believe in the "For Warned is For Armed" policy. Waiting until someone is harmed is tantamount to being an accomplice to the act. -- Jerry gesbbb@yahoo.com Never buy from a rich salesman. Goldenstern