Mailinglist Archive: opensuse-security (195 mails)

< Previous Next >
Re: [suse-security] SuSE Security Announcement - make-3.77
  • From: "Daniel L. Donahue" <don34090@xxxxxxxxxxxxx>
  • Date: Tue, 7 Mar 2000 12:21:48 -0600 (CST)
  • Message-id: <Pine.LNX.4.21.0003071200470.1670-100000@xxxxxxxxxxxxxxxxxxxxxx>
On Tue, 7 Mar 2000, Petri Sirkkala. wrote:
> I don't care if it is a FUD or not. I only react to those mails
> originating from SuSE or the real vendors of the programs. These are of
> course the parties that need the exploits to verify the bug, and then
> send the _official_ security issues.

Why? If you hang in UNIX circles long enough, you can learn all
sorts of tricks, programming related or otherwise. Knowing the exact
exploit is a helpful thing-- if you know how to do it, you can help harden
your box(es) against the CONDITIONS that will lead to a compromise in many
cases.

> If you find a bug, let the authors know first. If this does not work,
> then stop using their product, maybe make your own.

Oh, come on. make your own? why not patch something that is
already working well enough (at least for you to have been using it)? It
doesn't even have to be a permanent fix, but just enough to cover the
hole, e.g. replacing a gets() (btw, who the hell still uses that?) with a
couple of more lines and fgets() in order to eliminate a buffer overflow.

> If you find out that doorlocks can be picked, you should not go out and
> nail posters around telling _how_ it can be done, but you should inform
> the makers of the locks and the shops that sell them, which take contact
> with the customers. Or so I think I would do.

Not everyone is as helpless as that, and most UNIX admins are
"locksmiths" of varying ability in their own right. On top of this, the
general argument/flame over releasing/holding back exploit+working code
is, in my mind, a bad thing (TM).
So far, it seems most of the proponents of late disclosure tend to
scream that early release of an exploit and code is bad in that you are
putting the tools into the hands of the crackers, and that there is no
point in releasing such information without a handy patch against it
already available.
This is complete and utter BS.
Let me at least say why I think so :) It only takes one cracker
with a mass netscan to find your box with the rootable service. It only
takes one 'cracker' with contacts in security and software companies to
get wind of an exploit and throw it to the wind of the underground. You
can't just hide your head in the sand and pray that they will go away,
because crackers are always looking for the latest new exploit to get more
boxes for their stupid DDoS attacks.
This is why full and early disclosure is a necessity-- while the
service in question cannot be fixed because there is no patch, there *ARE*
ways of protecting against remote types of exploits. Stricter
firewall/tcpwrapper definitions, shutting down the service, etc. Even with
local exploits there are steps that can be taken to avoid the conditions
necessary for a root exploit. Naturally, this is only if you *know* how it
is done.

> By 'being exploitable' I only referred to the attitude of flaming
> programmers, which does no-one any good and for one. I would feel
> exploited if I faced this kind of oppression. You know, I like to fix
> any bug I can as fast as possible.

Doesn't everyone? Most open source type programs are written by
people who actually use their own product-- or at least they have pride in
their own product.

dan



< Previous Next >
List Navigation
References