YuppaDuppa, On 05-Nov-01 Bitzer,Gerd wrote:
Very interesting debate, it's the first time I'm noticing that opensource devoted people agree with the meaning of Microsoft: http://www.heise.de/newsticker/data/lab-18.10.01-000/
:)
-----Urspr�ngliche Nachricht----- Von: Ken Schneider [mailto:kschneider@rtsx.com] Gesendet am: Montag, 5. November 2001 14:38 An: suse-security@suse.com Betreff: Re: [suse-security] [Flame] A Disservice to the Linux Community
<flame> You sir are an idiot.
What we are talking about here is a pretty major bug in the Linux kernel. Linux is now a mainstream product that is used comercially in many major
SuSE have done the responsible thing by giving the other comercial distributions a limited window in which to bring their distros up to date. If YOU were a programmer/exploit developer and had found this bug yourself, you would be free to release this information to the general
organisations. public first without giving the linux developers time to develop a fix. As it is, from a google search I can find no useful contribution from you regarding anything, not even help to someone else on a mailing list.
Please go back into your corner, sit down and shut up.
Feel free to speak again when you have something productive to offer </flame>
Not enought coffee today ...
Bravo, bravo.
This guy does need to sit in a corner! I feel you took the correct route by NOT announcing a major kernel bug to people that could exploit it BEFORE having a fix available, including any competitors having a fix or knowledge.
Hmm... a full disclosure debate on SuSE sec, and I was on vacation. Shame! ;) Well... On Bugtraq, every now and then this debate breaks loose, and in the end the whole thing usually turns into a flame fest. Funny to read, but dangerous to reply! :) The questions: Do *all of us* have the power/knowledge/spare time/etc. to actively counter any kind of new vulnerability, e. g. by developing patches or other counter measures? Do *we all* know how to code in C, search for kernel vulns, wade through tons of esoteric sec or network techniques? The answer: No, most of us don't. There are some who could have coded their own patch, and naturally they think that this kernel-vuln-issue should have been announced earlier. In this special case, with a kernel-vuln at hand, I think it was the Right Thing to wait for a proper patch before making the stuff public. Kernel stuff is way more complex than a simple buggy demon. I only hope this case will not be standard in the future. Normally, I'm a strong supporter of full disclosure, because it's a free OS we're talking about. Saying that there are "commercial" companies with a commercial interest in delayed disclosure is not very helpful. Information is free, and will find a way to be free if it is cut down. There's plenty of info in other corners of the 'net, so we here and the Bugtraq ppl should not believe the hype; if a new vuln will not be published on Bugtraq or SuSE sec, it sure as hell will be on 2600, in loads of news groups and on countless non-public BBS's, via ICQ/IRC, etc. Most ppl have no idea of the gray/black scene I fear. Exaggerated cutting of information will help the crackers, not the admins, because it does not affect the channels of information of the crackers, but official lists, like Suse's. No man is an island, no sec mailing list is, too. Bugtraq and SuSe sec are not the center of the security universe - our enemies are prepared. But with a general cut of full disclosure, we won't be. That's what bugs me.
Ken Schneider Senior UNIX Administrator Network Administrator
Boris Lorenz