Mailinglist Archive: opensuse-security (195 mails)

< Previous Next >
Re: [suse-security] Security announcements
  • From: "Steffen Dettmer" <steffen@xxxxxxx>
  • Date: Sun, 5 Mar 2000 17:54:19 +0100
  • Message-id: <20000305175419.B1449@xxxxxxxxx>
* cogNiTioN wrote on Sun, Mar 05, 2000 at 14:07 +0000:
> On Sat, 4 Mar 2000, John Grant wrote:
> > Jussi Laako said:
> > > Rune Kristian Viken wrote:
> > > > vulnerability. The only responsible thing to do, is to publish the
> > > > exploit to as many security-mailinglists as possible, and let admins
> > > > disable the buggy service.
> > >
> Isn't it the SysAdmin's job (among others) to be quick in responding to
> security announcements?

And even when the annouce is delayed, and a patch is aviable, the
Admin needs to install it, so it makes no difference: the admin
needs to be fast.

> What about those people who admin their servers in their free time? I do
> most of my admin work between the hours of 10pm and 2am.

Me too, but maybe in a different time zone...

> > > What if sysadmin is at weekend trip with his sailing boat?

Yeah, of course, but even if the security problem report is
delayed, he cannot upgrade the packages, so it hasn't such
advantages to delay.

Another thing: the argument was: delay the information, to give
the maintainers time to prepare patches. This requires, that no
other found the bug. But if no other found the bug, it would be
the best to hide and forget the information completly...

And I'm sure: an expirienced attacher/intruder get's such
informations quickly, since he/she spent a lot of time searching
for such things. They might attack if the find a security update
somewhere. They have some time to test for vulnerabilities. And
if the exploit becomes public, then they can try it on machines,
since the admin cannot update just in time.

IMHO it would be necessary to suggest a workaround (at least the
"shutdown" method...) as soon as possible.

BTW: I'm sure the most of the attackers now lot's more about
bugs, exploits and so on like most of the administrators...

oki,

Steffen

--
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.

< Previous Next >
List Navigation
Follow Ups
References