Re: Debian Investigation Report after Server Compromises
On Tue, 02 Dec 2003 13:12:40 -0600, Alex Malinovich wrote:
> On Tue, 2003-12-02 at 11:31, Greg Folkert wrote:
>> Shoulda Been:
>> What a wanker I am. No, Peter no comment needed.
>> On Tue, 2003-12-02 at 11:08, Greg Folkert wrote:
> Thanks for the link. It certainly makes for interesting reading. Though
> I am somewhat concerned about the following bit from the message:
> "Please understand that we cannot give away the used exploit to random
> people who we don't know. So please don't ask us about it."
> I'm afraid I'm part of the group that just doesn't understand. This
> snippet reeks of security through obscurity for me. If the hole has been
> identified and, presumably, fixed, why not tell people about it?
Ther is always a conflict between security and openness. MS's approach
has always been not to say anything until a fix has been propagated; they
are often criticized for that, but I'm sure they'd be deluged in lawsuits
from compromised system owners if they advertised the exploit to bad guys
before they had a fix.
In this case, the exploit is still an issue for those who have not yet
applied a fix. So to publish the exploit code itself is to expose many
debian systems to needless risk.
Well, that's the way I see it, anyway.
"Reports that say that something hasn't happened are always interesting
to me, because as we know, there are known knowns; there are things we
know we know. We also know there are known unknowns; that is to say we
know there are some things we do not know. But there are also unknown
unknowns - the ones we don't know we don't know."
- Donald Rumsfeld, US Secretary of Defense, Winner of British Plain
English Campaign's 2003 "Foot in Mouth" award.