Debian attacker may have used new exploit

JoeHill joehill-rieW9WUcm8FFJ04o6PK0Fg at public.gmane.org
Wed Dec 3 13:59:17 UTC 2003


On Wed, 3 Dec 2003 09:16:11 -0500
John Macdonald <jmm-TU2q2He6PgRlD5gtYiU6kEEOCMrvLtNR at public.gmane.org> wrote:

> Immediate public disclosure does not provide more eyes
> for a bug in MS code, just more eyes in the cracker
> community.

That is a myth, propagated by MS and other proprietary vendors, to avoid
embarassment and having to do actual work to improve security.

Witness the recent case of Diebold and their voting machines. If it were not for
the work of students and activists at Swarthmore College, no one would ever have
known of the security flaws. Diebold certainly showed no interest in fixing the
problem, even though internal memos showed they were aware of those flaws. It
was only after said students published the internal memos online that enough
pressure is being brought to bear on Diebold to fix the vulnerabilities. Now
what software were those machines running agian...? Oh, that's right, MS.

> Telling MS of a bug, and then telling the world later
> of the bug (and that MS was told a month earlier
> so that people can judge whether their response was
> adequate) provide more than ample pressure, and may
> reduce the number of exploits carried out against
> victims who have never had any warning or chance to
> apply a fix because there wasn't one.  If MS responds
> prompty (which they are doing better at these days -
> they've learned that they have to), then when the
> public announcement goes out any attacks prompted by
> the announcement can only be applied against people
> who have not yet applied the fix.

Again, facts and reality fly in the face of this argument. Hackers are usually,
if not always, aware of these vulnerabilities before the security
"establishment", and certainly before software designers can come up with a 
patch. Full public disclosure is one way to give the vast majority of users a
head start, before a patch can even be issued, so that they can at least be
aware of the risk. In fact, following this logic, it could be proposed that
disclosure be even *more* widespread, as soon and as widely as possible.
Security issues are not solved by a patch, they are mitigated by awareness.

Finally, there is no way to develop an enforceable "policy" in this regard, so
it is not realistic to expect that, even if you assume this "myth" is true,
people will not go on publicly releasing info on exploits. It's more realistic
to find a way to deal with the *expectation* that the exploits are already
widely known, and to work from there.

If you read the full account of the Debian incident, you will see that that is
exactly what happened, and exactly the attitude that was taken. Nothing radical
here! In fact, if you do a quick google on this topic, you will find that
nothing I'm saying is particularly original, this is the opinion of much bigger
fish than you or I.

-- 
JoeHill ++ ICQ # 280779813
Registered Linux user #282046
Homepage: www.orderinchaos.org
+++++++++++++++++++++++++++
"The modern conservative is engaged in one of man's oldest exercises in moral
philosophy; that is, the search for a superior moral justification for
selfishness."-- John Kenneth Galbraith
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml





More information about the Legacy mailing list