Mailinglist Archive: opensuse-security (195 mails)

< Previous Next >
Re: [suse-security] SuSE Security Announcement - make-3.77
  • From: "Petri Sirkkala." <petes@xxxxxxxxxxxxx>
  • Date: Tue, 7 Mar 2000 11:59:24 +0200 (EET)
  • Message-id: <Pine.LNX.4.10.10003071134290.2160-100000@xxxxxxxxxxxxxxxxx>


On Mon, 6 Mar 2000, Yasholomew Yashinski wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Sat, 4 Mar 2000, Petri Sirkkala. wrote:
>
> > > > Bruce Schneier has a very good piece about this. In it he condems
> > > > publishing exploits, and *demands* that those who find exploits give the
> > > > vendors ample time (not just a few days) to fix the hole.
> > >
> > > I read that newsletter, and I have to fully disagree with him.
>
> I'm inclined to agree with Rune here.
>
> > > Exploits points a finger, and says "look, its *very* vulnerable, fix it,
> > > quick". You don't know if you're the only one that knows about the
> > > vulnerability. The only responsible thing to do, is to publish the exploit to
> > > as many security-mailinglists as possible, and let admins disable the buggy
> > > service.
> >
> > Do we really need an exploit, why? Is it not enough to inform that
> > service this-and-that has a weak point, the authors have been informed
> > and responsible admins might disable this service. You know, there is no
> > technical solution to social problems.
>
> So I tell you that you should use qmail because the latest sendmail is
> crackable. Is this true, or am I just spreading FUD? An exploit allows
> admins to try it on their systems.

I don't care if it is a FUD or not. I only react to those mails
originating from SuSE or the real vendors of the programs. These are of
course the parties that need the exploits to verify the bug, and then
send the _official_ security issues.

If you find a bug, let the authors know first. If this does not work,
then stop using their product, maybe make your own.

And if the time taken by this process is an issue, think if you are
really the first to know about the bug anyway?

If you find out that doorlocks can be picked, you should not go out and
nail posters around telling _how_ it can be done, but you should inform
the makers of the locks and the shops that sell them, which take contact
with the customers. Or so I think I would do.

>
> > > Also, when you publish the exploit before a patch has been made, you light a
> > > fire under the program-makers asses. They have to work faster, and will
> > > release a patch earlier. They won't wait until their press-department has
> > > finished making a really nice looking press-release. THey will release the
> > > patch as soon as its finished, without delay.
> > >
> >
> > If this is what you need an exploit for, well feel free to be
> > exploitable. You see most programmers really do this for fun and
> > perfection, not to be mocked and flamed. Have you ever considered making
> > these things you are given free yourselves?
>
> Programmers patch their exploited programs for fun? I don't see what
> gives you the right to tell someone they should be exploitable. That would
> be following the same belief that your peers are more important then your
> customers.

By 'being exploitable' I only referred to the attitude of flaming
programmers, which does no-one any good and for one. I would feel
exploited if I faced this kind of oppression. You know, I like to fix
any bug I can as fast as possible.

To be sure of what you are using you should make your tools yourselves.

>
> > Phew, it really makes no sense to make programs then.
>
> Because they can be exploited and will need patched?

No, because 'this kind of public' seems to be backstabbing you. Why not
ask first and fire the shotguns later?

Demanding patches and updates is no better than asking for them. It
might even turn out that a nasty letter to a developer might end a
product.

-Pete

>
> > > (and before anyone starts ranting on about poor serveradmins getting their
> > > servers cracked because of exploits .. I've been cracked.. by the qpopper 2.2
> > > exploit ..
>
> Nice story. Too bad you weren't notified of the exploit earlier. Perhaps
> you were just waiting for your vendor to notify it's competition of the
> patch, which could have prevented the attack.
>
> > > it was a horrible experience, but I do NOT blame the one who
> > > released the exploit. And I don't blame the makers of crowbars for breakins,
> > > or the weapon manufacturers for murder).
>
> Some people want to know what weapons are available.
>
> I have to agree with "JuSSi" as well, anyone that uses an alias must be
> a malicious script kiddie.
>
> - --
> ..Yashy
> - -----BEGIN GEEK CODE BLOCK-----
> Version: 3.1
> GU/O/U d+ s:- a--@ C+++>$ U++++>$ P+ L+++>$ E--JOE W+++ N++ o-- K? w---
> O M- V-- PS-- PE- Y++ PGP+++ t--- !5 X R tv-- b- DI-- D+
> G e h--- r++ y++
> - ------END GEEK CODE BLOCK------
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.0 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE4xFdvFM22zL2gTQcRAm5bAJ4/HoNYf3X4t8Qeb88HKOsi8uQBGQCePS9L
> fcXZUh9u5AiB3yfqSHeiU/Y=
> =+ZCI
> -----END PGP SIGNATURE-----
>


< Previous Next >
List Navigation