[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#129604: general: Social Contract: We Do Hide Problems

On Fri, 2002-01-18 at 15:20, Lars Bahner wrote:
> This doesn't cut the cheese. If, say, ``vsftpd'' i bugged with a remote
> root exploit with no patch in sight then I want to know, so I can remove
> this application system. I you know of such a hole and you are  not
> telling me, then you are hiding the problem from me. This simple and
> really can't be argued.

The problem is not that there exists a bug in the program. There are
many programs with bugs that do not fall under the category discussed
here. Those are different problems. The problem is that "evil" people
might take advantage of the bug to cause harm. The purpose of "security"
in this context is to minimize the possibility of that happening.
I can't imagine how disclosing detailed information on a root exploit
before having removed the possibility of someone using that exploit to
cause harm, can minimize the possible harm done.

Consider the following:
You are a farmer. You have cows and horses in a barn. You know there are
thieves out there who would not hesitate to steal your cattle if given a
chance. To prevent that from happening, you buy a lock for the barn door
from your local locksmith. The locksmith also provides locks for many
other farmers in your area.
One day, the locksmith discovers that the particular kind of lock that
you and others have, can easily be opened by using a needle or pin of
some kind. What should the locksmith do?
Should he post a notice in the town newspaper that states the lock isn't
safe, and describe how it can be opened without the correct key,
possibly drawing thieves to try and steal the cattle while the insecure
locks are in use? Or should he develop a fix as soon as possible and
have fixed locks or a fixing kit available in his shop - and then make
the issue public?

As for hiding:

Main Entry: (2)hide
Function: verb
Inflected Form(s): hid /'hid/; hid·den /'hi-d&n/; or hid; hid·ing
Etymology: Middle English hiden, from Old English hydan; akin to Greek
keuthein to conceal
Date: before 12th century

transitive senses
1 a : to put out of sight : SECRETE
  b : to conceal for shelter or protection : SHIELD
2 : to keep secret
3 : to screen from or as if from view : OBSCURE
4 : to turn (the eyes or face) away in shame or anger

intransitive senses
1 : to remain out of sight -- often used with "out"
2 : to seek protection or evade responsibility

- hid·er /'hI-d&r/ noun
synonyms HIDE, CONCEAL, SCREEN, SECRETE, BURY mean to withhold or
withdraw from sight. HIDE may or may not suggest intent <hide in the
closet> <a house hidden in the woods>. CONCEAL usually does imply intent
and often specifically implies a refusal to divulge <concealed the
weapon>. SCREEN implies an interposing of something that prevents
discovery <a house screened by trees>. SECRETE suggests a depositing in
a place unknown to others <secreted the amulet inside his shirt>. BURY
implies covering up so as to hide completely <buried the treasure>.

I would say the "hiding" in this case is 1a of the transitive sense
and/or 2 of the intransitive sense. (Protecting the knowledge of the
exploit from reaching people who would cause harm, and evade the
responsibility of accidentally transmitting such information to such
people before proper measures to ensure security are taken.)

Of course, it is always 4 of the transitive sense, too... :)


Reply to: