On Wed, Jun 19, 2002 at 01:59:21PM -0500, Vince Mulhollon wrote: > An automobile metaphor: It's publically known that underinflated > "firestone tires" on a "ford exploder" occasionally pop on the > highway, killing the occupants. Users can apply that knowledge to > either check their tire pressures, replace the firestone tires with > equivalent yet safer Michelin tires, buy a vehicle with better > handling, or ignore the admittedly small risk. I think your analogy is flawed; security vulnerabilities are treated the way they are because they are (or can be) taken advantage of through deliberate, presumably malicious action on the part of a conscious third-party actor. Substandard tires exploding on the hot asphalt causing rollovers of SUVs traveling at high speed is a different story, unless you're anthropomorphising the car and/or the road. We don't generally classify spontaneous crashes of the X server or kernel panics as security issues, no matter how unpleasant they are. I think such examples of software (or hardware!) defects are a much better analogue to the Firestone tire recall. > Users can apply the knowledge of the risk to avoid dangerous situations, if > the risk is publically announced. That much is true. > Regarding Debian security announcements I'd be "happy" with a "dual track", > one "secret" detailed assessment of the vulnerability and exactly how to > exploit it, and one public post to debian-devel saying "hey, sendmail has a > new security hole, please either switch to exim temporarily and/or keep > careful watch on your mail server". That should make "everyone" happy? ...except for the fact that it's also a heads-up to mailicious parties to start paying more attention to sendmail then they already were. To riff on your flawed analogy, this is like making the road hotter or thinning the tread on the tire. The environment is becoming more dangerous by virtue of the announcement. And if no replacement tires are avaible, you could be in deep trouble. > An automobile metaphor: Ever head of the Corvair? Ralph Nader? "Unsafe > at any speed"? See above. > Keeping secrets from the users isn't very nice behavior. I agree, in general. I think the issue is more complex than some proponents of either side are making it out to be. On balance, however, I think the security team are taking the right approach. We do need to take care to not let a culture of secrecy develop, however. We maintain secrecy regarding security vulnerabilities because of a specific set of real-world circumstances in a given context. Any other employment of secrecy needs to be independently justified in light of the Social Contract. At the risk of derailing this thread into even more volatile territory, I will observe that in my experience as a kibitzer on this Project's internal politics, the security team are not anywhere near the top of my list of people whose insularity and lack of accountability cause problems for Debian's developers and users. -- G. Branden Robinson | You live and learn. Debian GNU/Linux | Or you don't live long. branden@debian.org | -- Robert Heinlein http://people.debian.org/~branden/ |
Attachment:
pgpS3aK3njJxR.pgp
Description: PGP signature