[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Investigation Report after Server Compromises

On Tue, 02 Dec 2003 13:12:40 -0600, Alex Malinovich wrote:

> On Tue, 2003-12-02 at 11:31, Greg Folkert wrote:
>> Shoulda Been:
>> http://lists.debian.org/debian-announce/debian-announce-2003/msg00003.html
>> What a wanker I am. No, Peter no comment needed.
>> On Tue, 2003-12-02 at 11:08, Greg Folkert wrote:
>> >
>> http://lists.debian.org/debian-announce/debian-announce-2003/msg00003.htmlDebian
> Thanks for the link. It certainly makes for interesting reading. Though
> I am somewhat concerned about the following bit from the message:
> "Please understand that we cannot give away the used exploit to random
> people who we don't know.  So please don't ask us about it."
> I'm afraid I'm part of the group that just doesn't understand. This
> snippet reeks of security through obscurity for me. If the hole has been
> identified and, presumably, fixed, why not tell people about it?

Ther is always a conflict between security and openness.  MS's approach
has always been not to say anything until a fix has been propagated;  they
are often criticized for that, but I'm sure they'd be deluged in lawsuits
from compromised system owners if they advertised the exploit to bad guys
before they had a fix.

In this case, the exploit is still an issue for those who have not yet
applied a fix.  So to publish the exploit code itself is to expose many
debian systems to needless risk.

Well, that's the way I see it, anyway.


"Reports that say that something hasn't happened are always interesting
to me, because as we know, there are known knowns; there are things we
know we know.  We also know there are known unknowns; that is to say we
know there are some things we do not know. But there are also unknown
unknowns - the ones we don't know we don't know."

- Donald Rumsfeld, US Secretary of Defense, Winner of British Plain
  English Campaign's 2003 "Foot in Mouth" award.

Reply to: