Re: TO HELL WITH IT THEN......(re: disk-destroyer.c)

From: Mike A. Harris (mharris@meteng.on.ca)
Date: Fri Jul 21 2000 - 19:10:43 EST


On Fri, 21 Jul 2000, David Ford wrote:

>> Bets the heck out of going to the store to buy a new harddrive that can
>> have the process repeated upon it for the second new harddrive that can
>
>Andre, I quite grasp this. I stand by my earlier statement.
>If it can be fixed, write the patch and put it in and go on
>with life. With all this carrying on, it's just advertising
>for the malicious kiddie. Patches like this should be written
>and quietly introduced into the kernel and a tiny blurb made in
>the ChangeLog saying "ATA protocol violations prohibited". If
>it can't be fixed, the advertising of a bad design flaw is
>certainly not a good thing.

Actually, I disagree. One of the things necessary for security
to work is full disclosure. Making things unknown, doesn't make
them unknown. Undisclosed == closed source. If we believed in
closed source, we would be working at Microsoft. Getting it out
in the open causes the problem to be taken seriously. Actually,
it FORCES the problem to be taken seriously.

The same thing happens every day with exploits. Someone finds a
major security hole in program A. They write an exploit for it,
and a description of the problem, then warn the company who made
the program. The company threatens to sue if they announce it,
and then does nothing about it.

The person posts their exploit on the net, and next they get
sued, which leads nowhere, and now the company has to scramble to
fix it.

This is likely what will happen now to Linux, and possibly other
vendors as well. The hard disk manufacturers need to design
products that are designed with security in mind, as so does the
industry in general. For years I've wondered about the ability
to fry a modem via the flash update. Now I'm practically
convinced that it is as easy as sniffing I/O ports with dosemu
debug options. grepping and then writing modem2brick.c

>Everybody would be inherently safer from the malicious kiddie
>who doesn't [yet] know how to break things and may never know.

That is the same theory behind commercial OS's claim of
security. The source code isn't out there so nobody can find any
bugs. This is open source land here, and we know that the
commercial closed source nondisclosure security paradigms are a
crock. Look at crypto for a fine example. The strongest crypto
is that which has published source.

>By carrying on about it for a week, it's a nice honeypot for
>that malicious kiddie to search the archives and build a
>workable exploit to destroy hardware.

Good. At this point, I hope they do, just to prove Andre right
so he can come back and laugh at everyone who gave him CS
bullshit stories.

-- 
Mike A. Harris                                     Linux advocate     
Computer Consultant                                  GNU advocate  
Capslock Consulting                          Open Source advocate

... Our continuing mission: To seek out knowledge of C, to explore strange UNIX commands, and to boldly code where no one has man page 4.

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Sun Jul 23 2000 - 21:00:17 EST