* cogNiTioN wrote on Sun, Mar 05, 2000 at 14:07 +0000:
On Sat, 4 Mar 2000, John Grant wrote:
Jussi Laako said:
Rune Kristian Viken wrote:
vulnerability. The only responsible thing to do, is to publish the exploit to as many security-mailinglists as possible, and let admins disable the buggy service.
Isn't it the SysAdmin's job (among others) to be quick in responding to security announcements?
And even when the annouce is delayed, and a patch is aviable, the Admin needs to install it, so it makes no difference: the admin needs to be fast.
What about those people who admin their servers in their free time? I do most of my admin work between the hours of 10pm and 2am.
Me too, but maybe in a different time zone...
What if sysadmin is at weekend trip with his sailing boat?
Yeah, of course, but even if the security problem report is delayed, he cannot upgrade the packages, so it hasn't such advantages to delay. Another thing: the argument was: delay the information, to give the maintainers time to prepare patches. This requires, that no other found the bug. But if no other found the bug, it would be the best to hide and forget the information completly... And I'm sure: an expirienced attacher/intruder get's such informations quickly, since he/she spent a lot of time searching for such things. They might attack if the find a security update somewhere. They have some time to test for vulnerabilities. And if the exploit becomes public, then they can try it on machines, since the admin cannot update just in time. IMHO it would be necessary to suggest a workaround (at least the "shutdown" method...) as soon as possible. BTW: I'm sure the most of the attackers now lot's more about bugs, exploits and so on like most of the administrators... oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.