security embargos (was: Re: ssl security desaster)
-----BEGIN PGP SIGNED MESSAGE-----
Sorry, I did not answer to the list:
Am Mi den 28. Mai 2008 um 1:13 schrieb Colin Watson:
> > It is never ever a good idea to make security issues secret or
> > protracting it.
> > And in this special case it was easy to fix the problem very fast when
> > the advisory cames out.
> Let's say you'd been asleep at the time, and the advisory had laid out
> everything necessary to make it trivial to produce an exploit (it could
> easily have been much more explicit than it was, and even with limited
> information it only took a day and a half to produce an exploit; a
> couple of hours would not at all have been out of the question). Would
> you still feel the same way if your accounts had been compromised?
Well, real men have directly connection of the CVE advisories to his
But seriously, yes, otherwise I am not sure that my system might be
compromised by someone who has more knowledge (from what source however)
than me. The last one do fear me!
> If we had released any sooner, the OpenSSH blacklisting support would
> not have been available, and every system administrator would have had
> to figure out what was going on by hand rather than have the upgrade
> automatically deny attempts to exploit this vulnerability. If we had
> released later, a number of flaws in the blacklisting support could have
> been fixed, alleviating a great deal of confusion among system
> administrators (I spent considerable time that week supporting people
> confused by the new tools), and I doubt it would have made much if any
> difference to exploit production.
I spend also some time with week administrators who did not understand
the consequence of this bug or are not able to read perl code or using
patch. But I do not wining about.
Better to have the bug published without a blacklist so the systems can
be secured as early as possible than an open system where some bad
people might have this information nevertheless and use it.
> We used the embargo period to develop tools to help system
> administrators defend themselves, not to sit in a smoke-filled room
> gloating that we knew a secret and you didn't.
I believe that. But it fears me to know that there is information out
there which could be known by bad people to attack (my) systems cause
other need a embargo time to develop tools to help me seeing what
exactly is vulnerable. The bad people might have ways to get to the
informations about zero day vulnerabilities.
Klaus Ethgen http://www.ethgen.de/
pub 2048R/D1A4EDE5 2000-02-26 Klaus Ethgen <Klaus@Ethgen.de>
Fingerprint: D7 67 71 C4 99 A6 D4 FE EA 40 30 57 3C 88 26 2B
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
-----END PGP SIGNATURE-----