Re: full disclosure, or not?

To: debian security <debian-security@lists.debian.org>
Subject: Re: full disclosure, or not?
From: Horst Pflugstaedt <Pfaedt@uni-duisburg.de>
Date: Sun, 27 Jun 2004 17:14:38 +0200
Message-id: <[🔎] 20040627151438.GA1803@home>
Mail-followup-to: Horst Pflugstaedt <Pfaedt@Uni-Duisburg.de>, debian security <debian-security@lists.debian.org>
In-reply-to: <[🔎] 20040627114345.GF1074@cirrus.madduck.net>
References: <[🔎] 20040626123902.GA4616@cirrus.madduck.net> <[🔎] 20040626195501.GA6416@home> <[🔎] 20040627114345.GF1074@cirrus.madduck.net>

On Sun, Jun 27, 2004 at 01:43:45PM +0200, martin f krafft wrote:
> also sprach Horst Pflugstaedt <Pfaedt@uni-duisburg.de> [2004.06.26.2155 +0200]:
> > what would be the alternative?
> > The security team would have to annonce "there's a possible security
> > flaw in package XY, we're on it, but it may take some more days to fix
> > it"
> > 
> > What's the worth of such announcements? Users (You'd) know about a bug, but
> > still could not do anything about it. After all, I'd strongly object
> > to my web-host/ISP/Sys-Admin/... switching off
> > apache/php/ssh/name-whatever-tool-you-really-need because they have heard of
> > an yet unfixed security-problem. 
> 
> That's a thing of your webhoster. But if I knew of e.g. a root
> exploit in the HTTP part of a mission-critical server containing
> secret data, i want to turn it off, or take additional security
> precautions, like a firewall layer etc.

If you can do so... you cannot switch off mission-critical services.
(I'd love to see amazon/google/whoever switch off the webserver).
Firewalling only helps, if you find a way to differentiate 'good' from
'bad' packets to your service.
What if IPTables had a security flaw?

I expect you are doing as much as you can to secure your system. The
rest is hoping, that's enough.

> 
> not knowing about it doesn't mean that the "bad guys" don't know
> about.

and if the bad guys found out before you, they wouldn't tell.
I don't know the translation for the german saying... "waking up a
sleeping dog". what else would a public announcement do?

A no-delay-announcement of security issues would be a more dangerous
threat to sites running that software than a policy of first
developing a patch and thenn offering an instant solution.
Not everybody has the capabilities to react in an appropriate way to
a known but unfixed sec-issue.

kind regards
Horst

last post for me. I'm no member of the security-team, nor am i
developer. I don't know the earlier discussions, but these would have
been my points.
i can understand the wish to be up-to-date on security-issues. 

-- 
#debian.de
< stoffel_> was wurde aus sex & drugs & rock'n roll?
< Lam_al_Adie> stoffel_: dieter bohlen, Harald juhnke und peter kraus?

Reply to:

References:
- full disclosure, or not?
  - From: martin f krafft <madduck@debian.org>
- Re: full disclosure, or not?
  - From: Horst Pflugstaedt <Pfaedt@uni-duisburg.de>
- Re: full disclosure, or not?
  - From: martin f krafft <madduck@debian.org>

Prev by Date: Re: full disclosure, or not?
Next by Date: Re: full disclosure, or not?
Previous by thread: Re: full disclosure, or not?
Next by thread: Re: full disclosure, or not?
Index(es):
- Date
- Thread