Debian attacker may have used new exploit
John Macdonald
jmm-TU2q2He6PgRlD5gtYiU6kEEOCMrvLtNR at public.gmane.org
Wed Dec 3 20:23:31 UTC 2003
On Wed, Dec 03, 2003 at 11:02:47AM -0500, JoeHill wrote:
> On Wed, 3 Dec 2003 09:59:43 -0500 (EST)
> Robert Brockway <robert-5LEc/6Zm6xCUd8a0hrldnti2O/JbrIOy at public.gmane.org> wrote:
>
> > Software vulnerabilities are normally fixed by patches but I'll agree that
> > security overall is more a function of awareness. I think this sentence
> > mixes up too different concepts (specific security issues vs security
> > procedures and knowledge).
>
> Not at all. You are again assuming that "script-kiddies" gain somehow from the
> widespread "awareness" of vulnerabilities, an assumption to which I do not
> subscribe, mainly for lack of evidence.
Straw man. It doesn't matter whether script-kiddies
learn about a hole, but whether they are fed with
new exploit scripts. The exploit writers are the
ones to worry about. If you can prove that exploit
writers always know of vulnerabilities before
any public disclosure; or else they always ignore
any vulnerability that they learn of from a public
disclosure, then you can argue that disclosure has not
hurt. I think that you could not possibly prove those
assertions, which means that you have to acknowledge
that disclosure might possibly cause damage.
> >From Security Focus:
>
> "A successful attacker requires three things: the opportunity to launch an
> attack, the capacity to successfully execute the attack, and the motivation to
> attack. An opportunity to launch an attack requires a vulnerable system and an
> access path to the system. The capability to successfully execute the attack
> requires knowledge of the vulnerability and the tools to exploit it.
>
> Proponents of the information dictatorship argument are targeting the second
> requirement of a successful attacker: his capability to launch an attack. This
> approach to the problem of computer security is flawed, and can only fail.
You seem to think that there are only two choices:
immediate public disclosure or long term secrecy.
You give arguments that the first might not cause
problems and that the second is bad.
The middle ground; public disclosure after either
a fix is available or significant time has elapsed;
is not disproved by the "long term secrecy is bad"
argument because it is not requiring or depending
upon long term secrecy. It is not disproved by
"immediate disclosure might not be bad" argument
because immediate disclosure is not even going to be
better and might be worse.
> First, we cannot stop some small number of malicious users from gaining
> knowledge of vulnerabilities, or access to the tools that exploit them.
> Vulnerability information and exploits have legitimate uses with the computer
> security field. They are part of research, are required in penetration testing,
> and used by system administrator to test their systems, mitigate the risks by
> gaining an in-depth understanding of the problem, and to verify that vendor
> fixes work as advertised."
Nope, we cannot stop them. But delayed disclosure
will, in at least some cases, reduce the number of
malicious users with such knowledge before a fix
is available.
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list