[18945] in bugtraq
Re: Security information for dollars?
daemon@ATHENA.MIT.EDU (Cooper)
Fri Feb 2 03:53:26 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <3A79D041.230A21C1@Linuxfan.com>
Date: Thu, 1 Feb 2001 22:08:17 +0100
Reply-To: Cooper <Cooper@LINUXFAN.COM>
From: Cooper <Cooper@LINUXFAN.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Jim Reid wrote:
>
> One - just ONE - of the features suggested - only suggested - for the
> BIND Members Forum (BMF) is that members get advance warning of
> security problems. This is not unreasonable given that members are
> likely to be folks running root, gTLD and ccTLD name servers or
> vendors who have to prepare and ship security patches to their
> customers.
Even if it's just a suggestion, it's a bad idea.
Once an exploit is discovered there are 3 things that the person that
discovers the problem can do:
1. Inform the BIND developers.
They will privately handle the issue, create some sort of patch or
update and then send out a notification so that people know they need to
upgrade. A day or so later the exploit for the problem can go public and
everybody's happy. This is probably the way most people on this list
would like things to be.
2. Send out the exploit via a public security mailing list such as this
one.
Bind developers have to race out an update or patch that fixed the
problem that is getting exploited. Every second longer they take to
develop the patch is a second during which a script kiddie can run the
exploit against a major site and mess things up royally for the sole
purpost of considering oneself '31337'.
3. Keep quiet, gain root allover the place be proud of himself. After
some time either the hacker or the bug will discovered. At this point
the hacker can go for the responsible 1st option, or the indifferent 2nd
option.
Now, could someone explain to me why a select list of individuals should
get an earlier warning?
Where, given the above options (and include more if you think there are
any), is there a real advantage in having a select few be aware of the
problem in order to whip out a fix?
So that vendors and package maintainers can create their new packages in
a timely fashion? For that reason the rest of the planet should remain
vulnerable that much longer?
And what if for instance the Solaris package is ready to go, and the
HP-UX package is still being put together? Should the Solaris patch be
kept on hold, allowing that much more servers to get rooted, simply
because we want all the major players to be prepared once the
notification is sent out?
For the 1st option this might sound feasable, but anybody can find the
bug so who's to say that there aren't a couple of exploits already
working their way from the experienced hackers down to the script
kiddies? Even if it remained with the experienced hackers, I still
wouldn't feel any better if it was one of those that rooted my machine.
Once you're told about a problem, you fix it and you tell the world.
What the world does with this information is its problem. A good vendor
would take the patched source, whip it into a package and get it out to
the masses as a preliminary patch/update until some proper testing can
be done. After that the patch will either be replaced by a proper
version, or stay in place until the next problem is discovered.
As for the admins of the various machines, they will immediately act on
the problem by shutting down vulnerable services, or otherwise doing
their best to keep the hackers at bay until the source patch becomes
available, compile that into a binary and run that until a
vendor-approved version comes along.
Or is that just the utopian world I thought I was living in?
Cooper
--
'twas the night before christmas, 1971, and there wasn't a sound in all
the house apart from the buzzsaw, and the clanking of chains and the
hedge trimmer and the wet slap of human brain tissue on concrete...
- DV8 1/2 -
