Debian attacker may have used new exploit

John Macdonald jmm-TU2q2He6PgRlD5gtYiU6kEEOCMrvLtNR at
Wed Dec 3 22:35:15 UTC 2003

On Wed, Dec 03, 2003 at 03:23:44PM -0500, JoeHill wrote:
> On Wed, 3 Dec 2003 15:23:31 -0500
> John Macdonald <jmm-TU2q2He6PgRlD5gtYiU6kEEOCMrvLtNR at> wrote:
> > Nope, we cannot stop them.  But delayed disclosure
> > will, in at least some cases, reduce the number of
> > malicious users with such knowledge before a fix
> > is available.
> In both of your posts, you start from the assumption that immediate public
> disclosure contributes nothing, but that's all it is, an assumption. I am
> positing that putting any limits on the free exchange of this information is
> inherantly worse than any *potential* harm (never once demonstrated, only
> theorized) done by such disclosure. Straw men, babies, and bathwater, are all
> cute, but I have yet to see a strong argument, with evidence, that the free
> exchange of all security-related information, an important part of not only
> awareness and education, but also development of new tools to combat
> vulnerabilities (or the proper eradication of software which is unfixable, ie.
> Internet Exploder), somehow does more harm than good.

If both sides of an argument take the approach that
"if it is not proven otherwise, my belief should
prevail" then you never come to a useful resolution.

Far from proving that immediate disclosure has an
advantage over delayed disclosure, you haven't
even suggested any way in which it *might* have
an advantage.

All of your arguments apply only to the comparison
against non-disclosure; which no-one is trying to
claim as a good practice.  That is a straw man -
you put a false argument into the mouths of your
opponent so that you can knock it down.  It does not
accomplish any useful progress in the discussion.

It is quite obvious that immediate disclosure will
sometimes (not always but sometimes) cause damage
that delayed disclosure would ameliorate.  This will
happen when:

- no cracker happened to already know about the
  particular hole being disclosed

- only one cracker already knew about the hole,
  but he was saving it to use for a particular attack

- every cracker that knew about this hole had other
  things to do and wasn't developing an exploit yet,
  but the disclosure made the potential damage time
  limited and so it was worth switching to exploiting
  this hole at this time instead of other work

Try and prove that none of these could ever happen!
(But don't just prove that they will sometimes not
happen - I already admit that, but that is irrelevant.
You are arguing that immediate disclosure should be
done for every case.)
The Toronto Linux Users Group.      Meetings:
TLUG requests: Linux topics, No HTML, wrap text below 80 columns

More information about the Legacy mailing list