Mailinglist Archive: opensuse-security (195 mails)

< Previous Next >
Re: [suse-security] Security announcements
  • From: "Steffen Dettmer" <steffen@xxxxxxx>
  • Date: Sun, 5 Mar 2000 19:19:24 +0100
  • Message-id: <20000305191924.E1449@xxxxxxxxx>
* cogNiTioN wrote on Sun, Mar 05, 2000 at 17:20 +0000:
> On Sun, 5 Mar 2000, Steffen Dettmer wrote:
>
> > > What about those people who admin their servers in their free time? I do
> > > most of my admin work between the hours of 10pm and 2am.
> >
> > Me too, but maybe in a different time zone...
>
> Probably, I'm in the UK, and thus work from GMT.

And others work in the states. It's shows what you (==cognition)
said: It isn't possible to get advantages by delaying (IMHO).

> > > > > What if sysadmin is at weekend trip with his sailing boat?
> >
> > Yeah, of course, but even if the security problem report is
> > delayed, he cannot upgrade the packages, so it hasn't such
> > advantages to delay.
>
> I was going to mention that, but forgot.

Yepp, you told it, and I think you're correct.

> > Another thing: the argument was: delay the information, to give
> > the maintainers time to prepare patches. This requires, that no
> > other found the bug. But if no other found the bug, it would be
> > the best to hide and forget the information completly...
>
> true. But that isn't the case, and never will be. Back to Security through
> obscurity.

This was meant sarcastic... It should lead to:

> This leads to another point, why release exploits at all?

If the argument of delaying would be right, it would be the best
to not release exploits at all. I think, the past showed, that
this won't work at all... Somebody would find the bug too, and
nobody had a patch or so, bad...
IMHO the best thing is:

> > IMHO it would be necessary to suggest a workaround (at least the
> > "shutdown" method...) as soon as possible.
>
> Perhaps. But this option is almost always open.

But to disable a service that has a serious securiy problem I
need to know about it. That's why I subscribed to this list...
It's not necessary to tell all details if a bug occurs. So an
attacker couldn't use it easily, since he wouldn't know enough
details, only the affected program.

> Also, you don't get many 9-5 people attacking machines, to some
> admins it's just a job, to nearly all attackers, they have some other, and
> often greater, motivation.

And more time to "surf" around the net to find holes and
informations... I think at least some of them use a fast
infrastructure to communicate, if a "hobby-" attacker finds
something, others get this information immediatly I think. Admins
from different companies usually haven't so much communications by
each other I think. So it's a difficult job...

Well... I still think it's not a good idea to delay security
announcements... Sometimes I get such security informations by PM
oder from a linux user group or so earlier...

oki,

Steffen

--
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.

< Previous Next >
List Navigation