On Tue, 7 Mar 2000, Petri Sirkkala. wrote:
I don't care if it is a FUD or not. I only react to those mails originating from SuSE or the real vendors of the programs. These are of course the parties that need the exploits to verify the bug, and then send the _official_ security issues.
Why? If you hang in UNIX circles long enough, you can learn all sorts of tricks, programming related or otherwise. Knowing the exact exploit is a helpful thing-- if you know how to do it, you can help harden your box(es) against the CONDITIONS that will lead to a compromise in many cases.
If you find a bug, let the authors know first. If this does not work, then stop using their product, maybe make your own.
Oh, come on. make your own? why not patch something that is already working well enough (at least for you to have been using it)? It doesn't even have to be a permanent fix, but just enough to cover the hole, e.g. replacing a gets() (btw, who the hell still uses that?) with a couple of more lines and fgets() in order to eliminate a buffer overflow.
If you find out that doorlocks can be picked, you should not go out and nail posters around telling _how_ it can be done, but you should inform the makers of the locks and the shops that sell them, which take contact with the customers. Or so I think I would do.
Not everyone is as helpless as that, and most UNIX admins are "locksmiths" of varying ability in their own right. On top of this, the general argument/flame over releasing/holding back exploit+working code is, in my mind, a bad thing (TM). So far, it seems most of the proponents of late disclosure tend to scream that early release of an exploit and code is bad in that you are putting the tools into the hands of the crackers, and that there is no point in releasing such information without a handy patch against it already available. This is complete and utter BS. Let me at least say why I think so :) It only takes one cracker with a mass netscan to find your box with the rootable service. It only takes one 'cracker' with contacts in security and software companies to get wind of an exploit and throw it to the wind of the underground. You can't just hide your head in the sand and pray that they will go away, because crackers are always looking for the latest new exploit to get more boxes for their stupid DDoS attacks. This is why full and early disclosure is a necessity-- while the service in question cannot be fixed because there is no patch, there *ARE* ways of protecting against remote types of exploits. Stricter firewall/tcpwrapper definitions, shutting down the service, etc. Even with local exploits there are steps that can be taken to avoid the conditions necessary for a root exploit. Naturally, this is only if you *know* how it is done.
By 'being exploitable' I only referred to the attitude of flaming programmers, which does no-one any good and for one. I would feel exploited if I faced this kind of oppression. You know, I like to fix any bug I can as fast as possible.
Doesn't everyone? Most open source type programs are written by people who actually use their own product-- or at least they have pride in their own product. dan