J.H.M. Dassen (Ray) wrote:
On Tue, Dec 02, 2003 at 13:35:51 -0600, Micah Anderson wrote:Previous kernel security holes have been treated with a lot more "transparancy" and communication than this one was, I am disappointed that this one wasn't.I fail to see how this was treated with less transparency than previous holes. The only difference I see is that with previous kernel security holes like the ptrace one, the kernel developers recognised the security implications of a coding bug almost immediately, whereas in this case it took quite some time. That's unfortunate, but quite understandable. Mistakes happen. Ray
I think, this incident is a nice lessons learned for everyone. A found coding bug can always have security implications as there will always be someone ingenious enough to create an exploit of it. We all know some bigger software company telling its costumers, that some coding bugs are not that critical until the next worm / email virus appears...
If the behaviour of a piece of code cannot be predicted under any circumstances it represents a risk. And I would even say that in the real world we will never find anything that is totally risk free. The question is rather if we are willing to take a certain KNOWN risk or not.
MarcelPS: I wanted to thank the whole debian security team and everyone who helped putting together this very detailed and concise report about the hacked servers.