On Sun, 27 Feb 2000, Avi Schwartz wrote:
Actually it makes a whole lot of sense and it is a common practice. Since the bug was *unknown*, it made sense to delay the announcement and give other vendors a chance to fix the bug. Had the announcement gone out immediately it would have given crackers a chance to exploit the bug.
How do we know it was unknown. Unpublished, probably; unknown, almost certainly not. It is logical that if you found the hole, you're not the only one capable of finding it, and therefore not the only one who has. Tell us we're not back to security through obscurity? How many other unknown bugs are people able to compromise us using? I thought one of the whole benefits of OSS was that security holes could be found quicker, published to the community (BugTraq anyone?), and patched by individuals while waiting for the vendor to do so. It's kinda like, oh and by the way I noticed that your front door hasn't been locking properly for weeks, but don't worry, because I contacted the lock maker, and they said that if you insert oil here, and loosen that screw there, the dead bolt will work properly now. "Your computer system and the data stored on it has been vulnerable to attacks for X days, but we thought that you'd rather wait until the vendor had had a chance to fix it, before we let you know." I accept that fixes to problems may not come immediatly, but I believe that if the anyone knows about holes in advance, it'll be the underground community, and that admins will be less at risk when they know about the hole. As the Security officer for a distribution without the resources to do it's own audits I've got to rely on public disclosure of holes before I can issue fixes. If you wait until vendors have had a chance to fix it before publicly releasing it, add on a few hours lag in me finding out (I'm not sitting at my computer 24/7, I have a life, college, work, etc.), some time for me to verify, test, repackage, write the advisory, and post the package/advisory, then you'll see my users are open to attack for quite a while longer than they should be. I believe in full disclosure. Sorry guys, I'm with the Yash-meister on this one. /cog