Mailinglist Archive: opensuse-security (195 mails)

< Previous Next >
Re: [suse-security] SuSE Security Announcement - make-3.77
  • From: John Grant <jmgrant@xxxxxxxxxxxx>
  • Date: Tue, 07 Mar 2000 04:45:56 -0800 (PST)
  • Message-id: <200003071245.EAA17080@xxxxxxxxxxxxxxxxx>
Petri Sirkkala. said:
>
>
> On Tue, 7 Mar 2000, John Grant wrote:
>
> > Petri Sirkkala. said:
> > >
> > >
> > > On Mon, 6 Mar 2000, Yasholomew Yashinski wrote:
> > >
> > > > -----BEGIN PGP SIGNED MESSAGE-----
> > > > Hash: SHA1
> > > >
> > [snip]
> > > > So I tell you that you should use qmail because the latest sendmail is
> > > > crackable. Is this true, or am I just spreading FUD? An exploit allows
> > > > admins to try it on their systems.
> > >
> > > I don't care if it is a FUD or not. I only react to those mails
> > > originating from SuSE or the real vendors of the programs. These are of
> > > course the parties that need the exploits to verify the bug, and then
> > > send the _official_ security issues.
> >
>
> I did not say _only_ suse. But so far I trust only the ones I can verify
> myself. This is what everyman has to determine themselves.

That's exactly my point. How do I know I can trust them without being able to
double-check them? That's why I, as the person responsible for securing a
system, need an exploit to be published as soon as it's known. I need to
verify the bug on my system, and verify the fix once it's made available (or
I've patched it myself, if I have source).

Something else to consider.. a bug is not always found by an audit. Often,
perhaps even most of the time, a security hole is found by someone being
hacked, and the hackee tracking down how. In that case the exploit is
_already_ known, so I'm already vulnerable. Publishing the exploit just makes
_me_ aware of it, which is something I want to happen as soon as possible.

Even if found by audit, there's no guarantee that no-one else has found it too,
and is using it. Any way I look at it, it's my assets in jeopardy, and I want
to be notified immediately so I can take steps to protect those assets.

-John




< Previous Next >
List Navigation
References