* cogNiTioN wrote on Sun, Mar 05, 2000 at 17:20 +0000:
On Sun, 5 Mar 2000, Steffen Dettmer wrote:
What about those people who admin their servers in their free time? I do most of my admin work between the hours of 10pm and 2am.
Me too, but maybe in a different time zone...
Probably, I'm in the UK, and thus work from GMT.
And others work in the states. It's shows what you (==cognition) said: It isn't possible to get advantages by delaying (IMHO).
What if sysadmin is at weekend trip with his sailing boat?
Yeah, of course, but even if the security problem report is delayed, he cannot upgrade the packages, so it hasn't such advantages to delay.
I was going to mention that, but forgot.
Yepp, you told it, and I think you're correct.
Another thing: the argument was: delay the information, to give the maintainers time to prepare patches. This requires, that no other found the bug. But if no other found the bug, it would be the best to hide and forget the information completly...
true. But that isn't the case, and never will be. Back to Security through obscurity.
This was meant sarcastic... It should lead to:
This leads to another point, why release exploits at all?
If the argument of delaying would be right, it would be the best to not release exploits at all. I think, the past showed, that this won't work at all... Somebody would find the bug too, and nobody had a patch or so, bad... IMHO the best thing is:
IMHO it would be necessary to suggest a workaround (at least the "shutdown" method...) as soon as possible.
Perhaps. But this option is almost always open.
But to disable a service that has a serious securiy problem I need to know about it. That's why I subscribed to this list... It's not necessary to tell all details if a bug occurs. So an attacker couldn't use it easily, since he wouldn't know enough details, only the affected program.
Also, you don't get many 9-5 people attacking machines, to some admins it's just a job, to nearly all attackers, they have some other, and often greater, motivation.
And more time to "surf" around the net to find holes and informations... I think at least some of them use a fast infrastructure to communicate, if a "hobby-" attacker finds something, others get this information immediatly I think. Admins from different companies usually haven't so much communications by each other I think. So it's a difficult job... Well... I still think it's not a good idea to delay security announcements... Sometimes I get such security informations by PM oder from a linux user group or so earlier... oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.