Debian attacker may have used new exploit
JoeHill
joehill-rieW9WUcm8FFJ04o6PK0Fg at public.gmane.org
Wed Dec 3 12:46:08 UTC 2003
On Wed, 3 Dec 2003 08:24:38 -0500
John Macdonald <jmm-TU2q2He6PgRlD5gtYiU6kEEOCMrvLtNR at public.gmane.org> wrote:
> > > Ask yourself: if this were a certain proprietary company, would this
> > > news leak out so quickly, and would said organization publish a detailed
> > > post-mortem as soon as one is available?
> >
> > There's no "if". Microsoft actually got seriously pissed recently when news
> > of *seven* new vulnerabilities, two of them critical, was released to the
> > general public rather than being privately and secretly notified
> > themselves.
>
> That's a different matter and worthy of everyone being
> pissed. Anyone finding a new vulnerability should
> notify the owner of the code and give them some time
> to find a cure before making a public announcement.
> For an open source project, the original notification
> will be partially public, but you still should not
> try to make the news widely public until there has
> been adequate time to find a fix and distribute it.
> (Proprietary source products often require a longer
> period of time for that process to be carried out.)
> After the period of time is up, then announcing
> the vulnerability is fine (and if the code owner
> has wasted the time and not arranged a fix to be
> distributed widely enough, it rightly looks bad
> on them).
I think considering MS's past behaviour in this respect (ie. taking *months* to
issue fixes that do not even work), the discoverers of the vulnerabilities did
the right thing. Leaving that aside, MS has no right to expect "courtesy" from
the security community, taking into account it has acted with aggressive
intolerance at any and all criticism of it's security track record, witness the
recent case of the CCIA report and the subsequent firing of it's principle
author from an MS-connected company, @Stake.
The argument that public disclosure of security flaws encourages hackers is very
weak, and reeks of justification, in comparison to the logically sound idea that
more public scrutiny means more pressure, and more resources, brought to bear to
fix said bugs. Hence Eric S. Raymond's "many eyes make all bugs shallow."
--
JoeHill ++ ICQ # 280779813
Registered Linux user #282046
Homepage: www.orderinchaos.org
+++++++++++++++++++++++++++
"I have the South in front of me and the bankers behind me -- and for my
country, I fear the bankers most."-- Abraham Lincoln
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list