Mailinglist Archive: opensuse-security (195 mails)

< Previous Next >
Re: [suse-security] SuSE Security Announcement - make-3.77
  • From: "Petri Sirkkala." <petes@xxxxxxxxxxxxx>
  • Date: Sat, 4 Mar 2000 18:29:45 +0200 (EET)
  • Message-id: <Pine.LNX.4.10.10003041824430.27138-100000@xxxxxxxxxxxxxxxxx>


On Sat, 4 Mar 2000, Rune Kristian Viken wrote:

> On Wed, 01 Mar 2000, you wrote:
>
> > Bruce Schneier has a very good piece about this. In it he condems
> > publishing exploits, and *demands* that those who find exploits give the
> > vendors ample time (not just a few days) to fix the hole.
>
> I read that newsletter, and I have to fully disagree with him.
>
> Exploits points a finger, and says "look, its *very* vulnerable, fix it,
> quick". You don't know if you're the only one that knows about the
> vulnerability. The only responsible thing to do, is to publish the exploit to
> as many security-mailinglists as possible, and let admins disable the buggy
> service.

Do we really need an exploit, why? Is it not enough to inform that
service this-and-that has a weak point, the authors have been informed
and responsible admins might disable this service. You know, there is no
technical solution to social problems.

>
> Also, when you publish the exploit before a patch has been made, you light a
> fire under the program-makers asses. They have to work faster, and will
> release a patch earlier. They won't wait until their press-department has
> finished making a really nice looking press-release. THey will release the
> patch as soon as its finished, without delay.
>

If this is what you need an exploit for, well feel free to be
exploitable. You see most programmers really do this for fun and
perfection, not to be mocked and flamed. Have you ever considered making
these things you are given free yourselves?

Phew, it really makes no sense to make programs then.

-Pete

>
> Give the program-developers a couple of days, at least if its only an unchecked
> buffer or something that can be fixed in a matter of seconds.
>
>
> (and before anyone starts ranting on about poor serveradmins getting their
> servers cracked because of exploits .. I've been cracked.. by the qpopper 2.2
> exploit .. it was a horrible experience, but I do NOT blame the one who
> released the exploit. And I don't blame the makers of crowbars for breakins,
> or the weapon manufacturers for murder).
>
> --
> "Rune Kristian Viken" <arcade@xxxxxxxxxxxxx> / arcade@irc (EFnet/IRCnet)
> Kvinesdalsnett System Administrator (http://arcade.kvinesdal.com/)
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx
>


< Previous Next >
List Navigation
References