On Tue Jun 18, 2002 at 05:05:11PM +0100, g wrote:

> > Unfortunately, someone jumped the gun in making this public before the
> > apache team had a chance to fix it which makes things very difficult
> > for everyone (damn ISS).
>
> sounds like a reply bg&c would make.

I'm sorry you feel that way.

> considernig time it takes for fixes to get drafted before fix releases,
> i for one would rather know there is a proplem and a fix is underway.

There is no way, in this case, that a fix could be underway. ISS made
it public 2hrs after sending a note to the ASF. I don't even know if
they got a reply in that timeframe, nevermind something to the effect
of "we're working on it right now".

Nevertheless, what ISS did was very wrong. Not only did they disclose
it far too early (24hrs would *not* have made a huge difference), but
they advertised a fix that did not fix the problem entirely!

So what would you rather have? A false sense of security in the bogus
patch they released with their early advisory? Or 24hrs of ignorance,
a time frame in which it is unlikely that we would see a large number
of exploits being performed, nevermind created?

Don't get me wrong, I'm all for public disclosure of bugs, whether
they are currently fixed or not. But most people who find bugs give
the authors a decent amount of time to provide a fix, and often
coordinate with the author to release a statement. What ISS did is
just plain ignorant.

> this way, i am aware of a problem and can take action necessary to
> guard against a danger.
>
> having a problem and not knowing about it until after a break in and
> possible damage, is relate to 'cows and gates'. tho in case of some
> gate's, it would be 'pigs and bgates'.

Yes. But you have to walk a fine line here. Do you let the entire
world know of a problem without having discussed with the author at
all? There is such a thing as etiquette in these circles, and it is
*proper* for someone who has found a problem to discuss it with the
author, or at least attempt to initiate discussion and wait for a
reasonable period of time to pass before disclosing it to the general
public. 2hrs is *not* reasonable, and I'm sure you'll agree despite
your need/want for immediate disclosure. It does no one any good to
know this... this advertisement of a problem before a fix is issued
just gives crackers who may not have known about the problem the head
start they need to start working on exploiting it before a fix is
made.

The only solution then is (in this specific case) use a faulty patch
and believe you are secure when you're not, live with the possibility
of the DoS, or shut down your server altogether.

> good security is knowing asap that there is a problem.
> bad security is finding out hard way of a problem.

Yes, but security professionals have a responsibility that does not
always conform to this statement. You make it too cut and dry without
thinking of the consequences.

-- 
MandrakeSoft Security; http://www.mandrakesecure.net/
"lynx -source http://www.freezer-burn.org/bios/vdanen.gpg | gpg --import"
1024D/FE6F2AFD   88D8 0D23 8D4B 3407 5BD7  66F9 2043 D0E5 FE6F 2AFD
Current Linux kernel 2.4.18-6.10mdk uptime: 10 days 23 hours 57 minutes.

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9D/6yIEPQ5f5vKv0RAkBYAKC1LdQFPd9ILu0oK8SzQh02eRoGpQCgy7xl YjT1VgSNNC3E+FNBQVDULP0= =wLfF -----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]