Mailinglist Archive: opensuse-security (195 mails)

< Previous Next >
Re: [suse-security] SuSE Security Announcement - make-3.77
  • From: "L. Sassaman" <rabbi@xxxxxxxxxxx>
  • Date: Wed, 1 Mar 2000 06:39:23 -0500 (EST)
  • Message-id: <Pine.LNX.4.21.QNWS_2.0003010637340.16762-100000@xxxxxxxxxxxxxxx>
Hash: SHA1

Bruce Schneier has a very good piece about this. In it he condems
publishing exploits, and *demands* that those who find exploits give the
vendors ample time (not just a few days) to fix the hole.

This is just good security practice. It is hoped that, in turn, the other
vendors will do the same.

On Sun, 27 Feb 2000, Avi Schwartz wrote:

> No, we are not talking about security through obscurity. It is common
> to notify the maintainers of a piece of software about a security hole
> before you notify the public to give them chance to fix the problem.
> If you find that the door locks are broken in your subdivision due to a
> manufacturing error, are you going to announce on the radio that the
> doors cannot be locked and invite every thief for a visit or are you
> going to replace the locks first and then notify everyone else about the
> problem?
> Avi
> cogNiTioN wrote:
> >
> > How do we know it was unknown. Unpublished, probably; unknown, almost
> > certainly not. It is logical that if you found the hole, you're not the
> > only one capable of finding it, and therefore not the only one who has.
> >
> > Tell us we're not back to security through obscurity?
> >
> > How many other unknown bugs are people able to compromise us using?
> >
> > I thought one of the whole benefits of OSS was that security holes could
> > be found quicker, published to the community (BugTraq anyone?), and
> > patched by individuals while waiting for the vendor to do so.
> --
> Avi Schwartz Get a Life
> avi@xxxxxxxxxxxxxxxxxxx Get Linux
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx


L. Sassaman

System Administrator | "All of the chaos
Technology Consultant | Makes perfect sense..."
icq.. 10735603 |
pgp.. finger:// | --Joe Diffie

Version: GnuPG v1.0.1 (GNU/Linux)
Comment: OpenPGP Encrypted Email Preferred.


< Previous Next >
List Navigation