[Flame] A Disservice to the Linux Community
Greetings to those at linuxsecurity.com, In regards to http://www.linuxsecurity.com/advisories/suse_advisory-1680.html, there is a note that read.... <<QUOTE>> The information about this problem was withheld from the public in coordination with other Linux vendors/distributors in order to give the distributors enough time to update their kernel packages. We find that this coordination is beneficial for the community, while we regret that the bug could not be fixed in time before the other distributor's kernel updates. <<ENDQUOTE>> How dare you. I consider this to be a great disservice to the Linux community. Linux is not about the vendors/distributors. They are not the only ones out there with interests in security problems being fixed. By withholding information, you take away untold number of eyes that could be looking at the problem. Some of those eyes may even be better equipped to handle the problems than the vendors/distributors themselves, and can do so in a more timely fashion. You have produced an unnecessary window of opportunity for malicious attacks against unprotected systems. I do not believe the Linux community needs support from, or should support, those who would withhold valuable information from them. Please do not repeat this type of attitude and behavior. Regards, Keith Hopkins P.S. To all those reading this on a mailing list, I urge you to respond directly to info@linuxsecurity.com with your opinion.
On Sat, 03 Nov 2001 21:23:55 +0900 Keith Hopkins <hne@inetnow.net> wrote:
Greetings to those at linuxsecurity.com,
In regards to http://www.linuxsecurity.com/advisories/suse_advisory-1680.html, there is a note that read.... <<QUOTE>> The information about this problem was withheld from the public in coordination with other Linux vendors/distributors in order to give the distributors enough time to update their kernel packages. We find that this coordination is beneficial for the community, while we regret that the bug could not be fixed in time before the other distributor's kernel updates. <<ENDQUOTE>>
How dare you. I consider this to be a great disservice to the Linux community. Linux is not about the vendors/distributors. They are not the only ones out there with interests in security problems being fixed. By withholding information, you take away untold number of eyes that could be looking at the problem. Some of those eyes may even be better equipped to handle the problems than the vendors/distributors themselves, and can do so in a more timely fashion. You have produced an unnecessary window of opportunity for malicious attacks against unprotected systems. I do not believe the Linux community needs support from, or should support, those who would withhold valuable information from them. Please do not repeat this type of attitude and behavior.
Regards, Keith Hopkins
P.S. To all those reading this on a mailing list, I urge you to respond directly to info@linuxsecurity.com with your opinion.
<flame> You sir are an idiot. What we are talking about here is a pretty major bug in the Linux kernel. Linux is now a mainstream product that is used comercially in many major organisations. SuSE have done the responsible thing by giving the other comercial distributions a limited window in which to bring their distros up to date. If YOU were a programmer/exploit developer and had found this bug yourself, you would be free to release this information to the general public first without giving the linux developers time to develop a fix. As it is, from a google search I can find no useful contribution from you regarding anything, not even help to someone else on a mailing list. Please go back into your corner, sit down and shut up. Feel free to speak again when you have something productive to offer </flame> Not enought coffee today ... -- Viel Spaß Nix - nix@susesecurity.com http://www.susesecurity.com
On Sat, 3 Nov 2001, Peter Nixon wrote:
On Sat, 03 Nov 2001 21:23:55 +0900 Keith Hopkins <hne@inetnow.net> wrote:
Greetings to those at linuxsecurity.com,
In regards to http://www.linuxsecurity.com/advisories/suse_advisory-1680.html, there is a note that read.... <<QUOTE>> The information about this problem was withheld from the public in coordination with other Linux vendors/distributors in order to give the distributors enough time to update their kernel packages. We find that this coordination is beneficial for the community, while we regret that the bug could not be fixed in time before the other distributor's kernel updates. <<ENDQUOTE>>
How dare you. I consider this to be a great disservice to the Linux community. Linux is not about the vendors/distributors. They are not the only ones out there with interests in security problems being fixed. By withholding information, you take away untold number of eyes that could be looking at the problem. Some of those eyes may even be better equipped to handle the problems than the vendors/distributors themselves, and can do so in a more timely fashion. You have produced an unnecessary window of opportunity for malicious attacks against unprotected systems.
<flame> You sir are an idiot.
What we are talking about here is a pretty major bug in the Linux kernel. Linux is now a mainstream product that is used comercially in many major organisations. SuSE have done the responsible thing by giving the other comercial distributions a limited window in which to bring their distros up to date.
<snip ad hominem attack>
Feel free to speak again when you have something productive to offer </flame>
He did offer something productive. You flamed him for it. Linux security is NOT based on ""commercial manufacturers" -- Microsoft's security is. Linux is not secure because bugs are hidden, ever. It is secure because when bugs become publicly known, there are hundreds of times more people who want to fix them than there are who want to develop exploits. While I agree that the choice of whether and how to reveal a bug is up to the person or people discovering it, every day it went unfixed because of you withholding information was another opportunity for a crack to be developed. When you held it back, maybe a few dozen people were working on it. Had you released it, a few hundred would have tried to exploit it -- which overwhelms the puny effort that distribution builders or any commercial providers can make -- but a few *thousand* would have tried to fix it first, which overwhelms the efforts of the crackers. Linux security is because of the community, not the distribution packagers. That is why it is better than commercial products, and only as long as it continues that way will it remain better than commercial products. Bear
Having been in the computer ans specifically the sysadmion business for a good number of years, I am glad to see that the information about this bug was withheld... Yes, more people could have been looking at it, including those who would do malicious things if given the opportunity. How many machines do you think were saved by not letting everyone know that there was a hole here? Think about that for a minute. No, it's not about commercialism, it's about common sense and doing what you can to protect people's vested interests in Linux itself, and the businesses that people like myself have built using Linux as a platform. It's not just about a security hole, you also have to look at the type of security risk. If it's a local expoit, yes, let the world know. If it's a remote exploit, you have to be a little more conscious about your actions and the potential consequences of those actions. I am quite sure that the people involved considered whether or not to make this public. There was probably also consideration given to "how easy to exploit" this problem was. If anyone was really trying to hide something, I am sure that nothing would have been said at all, and unless someone does a thorough audit of the code itself, change notes themselves would not have given anything away. Personally I commend SuSE and the other distro's for trying to protect my interests, and I'm sure the people who know the code best (e.g. people like Alan, Nikita, Roman and others) were closely involved in generating the fix for this. I thnka them for doing the responsible thing. - Herman Ray Dillinger wrote:
On Sat, 3 Nov 2001, Peter Nixon wrote:
On Sat, 03 Nov 2001 21:23:55 +0900 Keith Hopkins <hne@inetnow.net> wrote:
Greetings to those at linuxsecurity.com,
In regards to http://www.linuxsecurity.com/advisories/suse_advisory-1680.html, there is a note that read.... <<QUOTE>> The information about this problem was withheld from the public in coordination with other Linux vendors/distributors in order to give the distributors enough time to update their kernel packages. We find that this coordination is beneficial for the community, while we regret that the bug could not be fixed in time before the other distributor's kernel updates. <<ENDQUOTE>>
How dare you. I consider this to be a great disservice to the Linux community. Linux is not about the vendors/distributors. They are not the only ones out there with interests in security problems being fixed. By withholding information, you take away untold number of eyes that could be looking at the problem. Some of those eyes may even be better equipped to handle the problems than the vendors/distributors themselves, and can do so in a more timely fashion. You have produced an unnecessary window of opportunity for malicious attacks against unprotected systems.
<flame> You sir are an idiot.
What we are talking about here is a pretty major bug in the Linux kernel. Linux is now a mainstream product that is used comercially in many major organisations. SuSE have done the responsible thing by giving the other comercial distributions a limited window in which to bring their distros up to date.
<snip ad hominem attack>
Feel free to speak again when you have something productive to offer </flame>
He did offer something productive. You flamed him for it. Linux security is NOT based on ""commercial manufacturers" -- Microsoft's security is. Linux is not secure because bugs are hidden, ever. It is secure because when bugs become publicly known, there are hundreds of times more people who want to fix them than there are who want to develop exploits.
While I agree that the choice of whether and how to reveal a bug is up to the person or people discovering it, every day it went unfixed because of you withholding information was another opportunity for a crack to be developed. When you held it back, maybe a few dozen people were working on it. Had you released it, a few hundred would have tried to exploit it -- which overwhelms the puny effort that distribution builders or any commercial providers can make -- but a few *thousand* would have tried to fix it first, which overwhelms the efforts of the crackers.
Linux security is because of the community, not the distribution packagers. That is why it is better than commercial products, and only as long as it continues that way will it remain better than commercial products.
Bear
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Herman Knief wrote:
Having been in the computer ans specifically the sysadmion business for a good number of years, I am glad to see that the information about this bug was withheld...
Yes, more people could have been looking at it, including those who would do malicious things if given the opportunity. How many machines do you think were saved by not letting everyone know that there was a hole here? Think about that for a minute. No, it's not about commercialism, it's about common sense and doing what you can to protect people's vested interests in Linux itself, and the businesses that people like myself have built using Linux as a platform. It's not just about a security hole, you also have to look at the type of security risk. If it's a local expoit, yes, let the world know. If it's a remote exploit, you have to be a little more conscious about your actions and the potential consequences of those actions. I am quite sure that the people involved considered whether or not to make this public. There was probably also consideration given to "how easy to exploit" this problem was. If anyone was really trying to hide something, I am sure that nothing would have been said at all, and unless someone does a thorough audit of the code itself, change notes themselves would not have given anything away.
Personally I commend SuSE and the other distro's for trying to protect my interests, and I'm sure the people who know the code best (e.g. people like Alan, Nikita, Roman and others) were closely involved in generating the fix for this. I thnka them for doing the responsible thing.
- Herman
Ray Dillinger wrote:
On Sat, 3 Nov 2001, Peter Nixon wrote:
On Sat, 03 Nov 2001 21:23:55 +0900 Keith Hopkins <hne@inetnow.net> wrote:
Greetings to those at linuxsecurity.com,
In regards to http://www.linuxsecurity.com/advisories/suse_advisory-1680.html, there is a note that read.... <<QUOTE>> The information about this problem was withheld from the public in coordination with other Linux vendors/distributors in order to give the distributors enough time to update their kernel packages. We find that this coordination is beneficial for the community, while we regret that the bug could not be fixed in time before the other distributor's kernel updates. <<ENDQUOTE>>
How dare you. I consider this to be a great disservice to the Linux community. Linux is not about the vendors/distributors. They are not the only ones out there with interests in security problems being fixed. By withholding information, you take away untold number of eyes that could be looking at the problem. Some of those eyes may even be better equipped to handle the problems than the vendors/distributors themselves, and can do so in a more timely fashion. You have produced an unnecessary window of opportunity for malicious attacks against unprotected systems.
<flame> You sir are an idiot.
What we are talking about here is a pretty major bug in the Linux kernel. Linux is now a mainstream product that is used comercially in many major organisations. SuSE have done the responsible thing by giving the other comercial distributions a limited window in which to bring their distros up to date.
<snip ad hominem attack>
Feel free to speak again when you have something productive to offer </flame>
He did offer something productive. You flamed him for it. Linux security is NOT based on ""commercial manufacturers" -- Microsoft's security is. Linux is not secure because bugs are hidden, ever. It is secure because when bugs become publicly known, there are hundreds of times more people who want to fix them than there are who want to develop exploits.
While I agree that the choice of whether and how to reveal a bug is up to the person or people discovering it, every day it went unfixed because of you withholding information was another opportunity for a crack to be developed. When you held it back, maybe a few dozen people were working on it. Had you released it, a few hundred would have tried to exploit it -- which overwhelms the puny effort that distribution builders or any commercial providers can make -- but a few *thousand* would have tried to fix it first, which overwhelms the efforts of the crackers.
Linux security is because of the community, not the distribution packagers. That is why it is better than commercial products, and only as long as it continues that way will it remain better than commercial products.
Bear
To Mr. Knief & Mr. Link, Thank you for your well considered words. To Mr. Dillinger, Thank you for your input. I think you at least saw the point I was trying to make. To linuxsecurity.com, My apologies for giving credit or laying blame to where it was not due. Might I suggest you add a small banner on the page indicating it is not an original work? I simply followed the "Contact Us" link at the bottom of the page to deliver my feedback. To all those on the lists, Sorry for the interruption, this channel will go back to it's regularly scheduled programming. Opinionated as always, Keith Hopkins
On Sat, 3 Nov 2001 09:03:25 -0800 (PST) Ray Dillinger <bear@sonic.net> wrote:
On Sat, 3 Nov 2001, Peter Nixon wrote:
On Sat, 03 Nov 2001 21:23:55 +0900 Keith Hopkins <hne@inetnow.net> wrote:
Greetings to those at linuxsecurity.com,
In regards to http://www.linuxsecurity.com/advisories/suse_advisory-1680.html, there is a note that read.... <<QUOTE>> The information about this problem was withheld from the public in coordination with other Linux vendors/distributors in order to give the distributors enough time to update their kernel packages. We find that this coordination is beneficial for the community, while we regret that the bug could not be fixed in time before the other distributor's kernel updates. <<ENDQUOTE>>
How dare you. I consider this to be a great disservice to the Linux community. Linux is not about the vendors/distributors. They are not the only ones out there with interests in security problems being fixed. By withholding information, you take away untold number of eyes that could be looking at the problem. Some of those eyes may even be better equipped to handle the problems than the vendors/distributors themselves, and can do so in a more timely fashion. You have produced an unnecessary window of opportunity for malicious attacks against unprotected systems.
<flame> You sir are an idiot.
What we are talking about here is a pretty major bug in the Linux kernel. Linux is now a mainstream product that is used comercially in many major organisations. SuSE have done the responsible thing by giving the other comercial distributions a limited window in which to bring their distros up to date.
<snip ad hominem attack>
Feel free to speak again when you have something productive to offer </flame>
He did offer something productive. You flamed him for it. Linux security is NOT based on ""commercial manufacturers" -- Microsoft's security is. Linux is not secure because bugs are hidden, ever. It is secure because when bugs become publicly known, there are hundreds of times more people who want to fix them than there are who want to develop exploits.
Right. but the bug was _not_ publically known. That is the whole point. If it was publically know, then there wouldn't be this thread, because the fix would also have been publically posted to the Linux Kernel mailing list, and SuSE would have come out looking wonderful for beeing the first Linux distro to release an updated kernel. However, as a SuSE developer _found_ the bug, they did the currect thing by NOT releasing it to anyone (except the other distros) until there was a fix.
While I agree that the choice of whether and how to reveal a bug is up to the person or people discovering it, every day it went unfixed because of you withholding information was another opportunity for a crack to be developed. When you held it back, maybe a few dozen people were working on it. Had you released it, a few hundred would have tried to exploit it -- which overwhelms the puny effort that distribution builders or any commercial providers can make -- but a few *thousand* would have tried to fix it first, which overwhelms the efforts of the crackers.
Please note that it was not ME who was withholding the information, infact I have no relationship with SuSE, and am simply the owner of the susesecurity.com domain name and the maintainer of the mailing list FAQ. If you wish to see official SuSE information, the email address is security@suse.de and the webpage is http://www.suse.de/security/
Linux security is because of the community, not the distribution packagers. That is why it is better than commercial products, and only as long as it continues that way will it remain better than commercial products.
Yes. I will not argue this one, although the SuSE security team have released some brilliant security additions to linux. As the problem IS now publically released, you and the rest of the linux community are now free to make a "better" fix for this bug. Have a good night. -- Viel Spaß Nix - nix@susesecurity.com http://www.susesecurity.com
Hi, the pro and cons of this have been discussed before, I do not think someone has something new to share here. To the ones complaining about this policy, please check the archives of this list and many others as this topic was discussed more often than necessary. To the others, please direct flames to the authors, not the list, and be shure to get enough coffee ;). Hopefully this will end this thread, mike
<flame> You sir are an idiot.
What we are talking about here is a pretty major bug in the Linux kernel. Linux is now a mainstream product that is used comercially in many major organisations. SuSE have done the responsible thing by giving the other comercial distributions a limited window in which to bring their distros up to date. If YOU were a programmer/exploit developer and had found this bug yourself, you would be free to release this information to the general public first without giving the linux developers time to develop a fix. As it is, from a google search I can find no useful contribution from you regarding anything, not even help to someone else on a mailing list.
Please go back into your corner, sit down and shut up.
Feel free to speak again when you have something productive to offer </flame>
Not enought coffee today ...
Bravo, bravo. This guy does need to sit in a corner! I feel you took the correct route by NOT announcing a major kernel bug to people that could exploit it BEFORE having a fix available, including any competitors having a fix or knowledge. -- Ken Schneider Senior UNIX Administrator Network Administrator
Keith, You've actually completely missed the concept they are trying to pass along here. You wouldn't want to stand of top of your house and shout that your front door lock broke before having an opportunity to have a locksmith come out and fix it. The point you mentioned about malicious users would be ten fold worse if SuSE announced that there was a hole in the system before they had a patch for it. The concept is that they are not doing any harm in hiding the hole from the public - either a) the malicious user will not find out about it because the information is being passed along within a select group of people - or b) the malicious user already knows about the hole and wouldn't care if they spoke up about it or not. You are correct in that there may be better people equipped to make a fix - but I'd rather have the SuSE fix available as a starting point before every bozo had the opportunity to break into my system. In fact, if they announced the bug before the fix was in place - that would give malicious users the window of opportunity you speak of to attack systems. Also, even if you aren't a standard "distribution" user you will be helped by the fact that the patch that SuSE and others have developed can probably be quickly inserted into your own kernel. Again, hopefully before malicious users get the chance to attack your system. I really don't see the down side to this policy. With the exception of a possible better fix coming from the greater community, which could be implemented later on by anyone on top of the SuSE et al. fixes. John W Higgins john@wishdev.com -----Original Message----- From: Keith Hopkins [mailto:hne@inetnow.net] Sent: Saturday, November 03, 2001 4:24 AM To: info@linuxsecurity.com Cc: ale; suse-security@suse.com; Andi Kleen Subject: [suse-security] [Flame] A Disservice to the Linux Community Greetings to those at linuxsecurity.com, In regards to http://www.linuxsecurity.com/advisories/suse_advisory-1680.html, there is a note that read.... <<QUOTE>> The information about this problem was withheld from the public in coordination with other Linux vendors/distributors in order to give the distributors enough time to update their kernel packages. We find that this coordination is beneficial for the community, while we regret that the bug could not be fixed in time before the other distributor's kernel updates. <<ENDQUOTE>> How dare you. I consider this to be a great disservice to the Linux community. Linux is not about the vendors/distributors. They are not the only ones out there with interests in security problems being fixed. By withholding information, you take away untold number of eyes that could be looking at the problem. Some of those eyes may even be better equipped to handle the problems than the vendors/distributors themselves, and can do so in a more timely fashion. You have produced an unnecessary window of opportunity for malicious attacks against unprotected systems. I do not believe the Linux community needs support from, or should support, those who would withhold valuable information from them. Please do not repeat this type of attitude and behavior. Regards, Keith Hopkins P.S. To all those reading this on a mailing list, I urge you to respond directly to info@linuxsecurity.com with your opinion. -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
I find it all rather amusing now that the vulnerability is announced. With proper multiple layered security it's not really an issue (assuming of course you use tcp syn cookies and firewalling, which many do not). Anyways it's always quite amusing to see a complete over-reaction from someone who doesn't appear to understand security (i.e. risk management) and the computer industry to well. Personally in this case I think they did the right thing holding back in my opinion, the chances of an attacker guessing a 24bit cookie are pretty remote, and access to a firewalled port should not immediately result in a penetration (personally I'm not a huge fan of firewalls, very few are done right). Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/
Kurt Seifried said :
I find it all rather amusing now that the vulnerability is announced. With proper multiple layered security it's not really an issue (assuming of course you use tcp syn cookies and firewalling, which many do not). Anyways it's always quite amusing to see a complete over-reaction from someone who doesn't appear to understand security (i.e. risk management) and the computer industry to well. Personally in this case I think they did the right thing holding back in my opinion, the chances of an attacker guessing a 24bit cookie are pretty remote, and access to a firewalled port should not immediately result in a penetration (personally I'm not a huge fan of firewalls, very few are done right).
Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/
i agree fully with Kurt, and thanks to all the hard work Roman, Marc and all at SuSE SuSE is the best distro available. doVe
participants (9)
-
dove -
Herman Knief -
John W Higgins -
Keith Hopkins -
Ken Schneider -
Kurt Seifried -
Peter Nixon -
Ray Dillinger -
Thomas Michael Wanka