Complete.Org: Mailing Lists: Archives: linux-help: October 2003:
[linux-help] Re: security list 		Home

[linux-help] Re: security list

[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: linux-help@xxxxxxxxx
Subject: [linux-help] Re: security list
From: Dustin Decker <dustind@xxxxxxxxxxxxxxxxxxx>
Date: Thu, 2 Oct 2003 14:14:32 -0500 (CDT)
Reply-to: linux-help@xxxxxxxxx 
On Thu, 2 Oct 2003, John Goerzen wrote:

> On Thu, Oct 02, 2003 at 01:32:23PM -0500, M. Osten wrote:
> > > Sometimes I want a moderated and censored list.  If you want to find out
> > > about patches for software you run and some security headlines, it's a 
> > > good
> > > place to be.
> > Hum, what about when your vendor doesn't release a patch for an extended
> > period?  Don't you want to know if there is an exploit in the wild so
> 
> Then either they a) look stupid because you see that there are patches
> available elsewhere, or b) are a single source of a binary program that
> you're helpless to fix anyway.

Hehe... I don't suppose this is a good definition of how hopeless patching 
"That Other OS" really is, is it?

But really, that's the point M. Osten is trying to make here.  M$ and MANY 
OTHERS for that matter, will let KNOWN security issues languish, while 
plenty of 0+1 day exploits start getting traded.  You won't be aware of 
the trading if on a moderated list.  While a patch may not yet be 
available, a discussion of how to disable the unpatched features is the 
MINIMUM that should be discussed and disclosed in the absence of patches.  

Moderated lists _might_ give such advice, but more frequently their 
behavior is 1) Disclose the vulnerability when the vendor wants to admit 
something is awry, and 2) be silent for a few days (perhaps detailing how 
to disable vulnerable software, but not much else), and 3) shout hallelujah 
when the vendor puts out a patch, and they then share a link to an 
overloaded point from which to download it.

Don't forget 4) bitch for days about how difficult patching 300+ machines 
is, how terrible the patch behaves, and what previous patches the new one 
destroys.

Full disclosure is good - when the folks doing the disclosure are 
responsible with it.  A detailed description of the problem, and some 
source code that requires someone with intelligence to make use of, is a 
good thing.  Granted - throwing out compiled binaries or scripts that any 
script-kiddie can pull a trigger on are just stupid...  The result?

Vendors can no longer ignore and fail to patch stuff, because it's not a 
secret anymore.  This is WHY Microsoft is patching so frequently now - 
they know they can't ignore this any longer.  The same applies to all 
other vendors, we just see more of this from M$ because of their large 
install base.

My $0.02
Dustin

-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
[Prev in Thread] Current Thread [Next in Thread]