Bartlomiej Zolnierkiewicz wrote:
> Yes, do it micro$oft's way... Do you think that this is really hard to
> discover? I have been recently reading T13 docs and I thought that it
> would be nice to try some things (similar to destroy-disk.c) when I
> have some time... now I'm really happy that I didn't have time to try
> them... :-)
>
> Sendmail people once fixed something without documenting it in
> changelog... and most of admins were too lazy to upgrade to new sendmail
> because there weren'nt important changes... later there was exploit
> using this fixed thing... get it?
> By doing silent fixes you make people thing that they don't need to
> upgrade... IMHO proper way of fixing security issues is the way of
> how capabilities "bug" have been fixed...
> Fast spreading of information have pros and cons, and you have to deal
> with them... You know about some security hole... but malicious bastards
> also...
I didn't say don't document it and I didn't say don't make notice of it. I said do it
the right way and fix it, give the distros a chance to patch it in and then announce
it. This is the standard ~two week courtesy. It's rather irresponsible to release an
exploit without people having a fix available, even if there are only a few hours
between the two. The exploit should -always- come after the fix unless the fixer
refuses to fix.
Read again what I wrote :)
Don't make a big issue of it until the patch is made and available, once it is, spread
the word far and wide.
> IMHO good sysadmin shouldn't be afraid of script-kiddies...
A good sysadmin should be terrified of script kiddies that can mutilate his system and
he has no way to protect himself because there isn't a fix yet.
> > By carrying on about it for a week, it's a nice honeypot for that malicious kiddie
> > to search the archives and build a workable exploit to destroy hardware.
>
> Andre revealed "exploit" beacause most (all?) of his opponents were too
> lazy to look at patch and kernel's code and see what it is all about!
Not really. Some of us weren't understanding what he was saying simply due to language
differences. Andre gets highly upset because he misinterprets what one guy says and
another guy doesn't understand what Andre means. I understood it rather quickly but
that doesn't mean everyone correctly interpreted what he was saying.
-d
-- "The difference between 'involvement' and 'commitment' is like an eggs-and-ham breakfast: the chicken was 'involved' - the pig was 'committed'."
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun Jul 23 2000 - 21:00:17 EST