Re: Debian Server Compromise -- A Fire Drill ??
On Thursday 04 December 2003 12:17 pm, Dave wrote:
> On Thu, 04 Dec 2003 18:00:18 +0100, Tom <firstname.lastname@example.org> wrote:
> >On Thu, Dec 04, 2003 at 10:15:12AM -0600, John Hasler wrote:
> >> ... That's why the kernel
> >> developers thought it was just an ordinary bug: they could see no way to
> >> exploit it.
> >That statement is somewhat disconcerting. The hypothesis is that many
> >eyes detect secure bugs, and here is clear case evidence contradicting
> >that hypothesis.
> There is no contradiction. Many eyes detect most security problems, but
> not all. This is certainly better than just a few eyes with access to
> proprietary code.
There is also the point that *somebody* found this bug. Just not the
folks we were hoping would. ;-) Letting real crackers hammer your
system is another way to find bugs, although we hope it's a last resort.
Terry Hancock ( hancock at anansispaceworks.com )
Anansi Spaceworks http://www.anansispaceworks.com