[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

security embargos (was: Re: ssl security desaster)

Hash: SHA1

Sorry, I did not answer to the list:

Am Mi den 28. Mai 2008 um  1:13 schrieb Colin Watson:
> > It is never ever a good idea to make security issues secret or
> > protracting it.
> > 
> > And in this special case it was easy to fix the problem very fast when
> > the advisory cames out.
> Let's say you'd been asleep at the time, and the advisory had laid out
> everything necessary to make it trivial to produce an exploit (it could
> easily have been much more explicit than it was, and even with limited
> information it only took a day and a half to produce an exploit; a
> couple of hours would not at all have been out of the question). Would
> you still feel the same way if your accounts had been compromised?

Well, real men have directly connection of the CVE advisories to his
brain. :-)

But seriously, yes, otherwise I am not sure that my system might be
compromised by someone who has more knowledge (from what source however)
than me. The last one do fear me!

> If we had released any sooner, the OpenSSH blacklisting support would
> not have been available, and every system administrator would have had
> to figure out what was going on by hand rather than have the upgrade
> automatically deny attempts to exploit this vulnerability. If we had
> released later, a number of flaws in the blacklisting support could have
> been fixed, alleviating a great deal of confusion among system
> administrators (I spent considerable time that week supporting people
> confused by the new tools), and I doubt it would have made much if any
> difference to exploit production.

I spend also some time with week administrators who did not understand
the consequence of this bug or are not able to read perl code or using
patch. But I do not wining about.

Better to have the bug published without a blacklist so the systems can
be secured as early as possible than an open system where some bad
people might have this information nevertheless and use it.

> We used the embargo period to develop tools to help system
> administrators defend themselves, not to sit in a smoke-filled room
> gloating that we knew a secret and you didn't.

I believe that. But it fears me to know that there is information out
there which could be known by bad people to attack (my) systems cause
other need a embargo time to develop  tools to help me seeing what
exactly is vulnerable. The bad people might have ways to get to the
informations about zero day vulnerabilities.

   Klaus Ethgen
- -- 
Klaus Ethgen                            http://www.ethgen.de/
pub  2048R/D1A4EDE5 2000-02-26 Klaus Ethgen <Klaus@Ethgen.de>
Fingerprint: D7 67 71 C4 99 A6 D4 FE  EA 40 30 57 3C 88 26 2B
Version: GnuPG v1.4.6 (GNU/Linux)


Reply to: