[3845] in bugtraq
Re: CERT, CIAC, etc. unethical practices
daemon@ATHENA.MIT.EDU (Mike Kienenberger)
Sun Dec 22 23:29:02 1996
Date: Sun, 22 Dec 1996 15:06:08 -0900
Reply-To: Mike Kienenberger <mkienenb@arsc.edu>
From: Mike Kienenberger <mkienenb@arsc.edu>
X-To: "Steve \"Stevers!\" Coile" <scoile@patriot.net>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
> By withholding information, CAIC and CERT are--in effect--shielding those
> sites that can't act quickly. Yes, it's security by obscurity, and yes,
> it isn't as safe as a fix would be, but it *is* better than widespread
> distribution of an exploit. It gives those system managers that don't
> have the time to jump on every obscure security hole, or who aren't
> *aware* of every security hole, to *learn* or to be told by someone in
> the know (such as a vendor). Yes, it leaves them open for attack longer,
> but it also makes it more difficult for the casual cracker to get his
> hands on the information and cause problems.
Most security holes can be fixed by:
a) removing a setuid or setgid bit, or
b) providing a wrapper that corrects the path, the environment, or the
arguments supplied to a program.
*IF* we knew about such problems, it'd be trivial to make a temporary
fix, even for a "below-average" system administrator.
Having even a shoddy patch is better than hoping that your site is
only attacked by below-average crackers. Security by obscurity is
a poor decision to make if you've got other choices, and most of the
time you do.
---
Mike Kienenberger Arctic Region Supercomputing Center
Systems Analyst (907) 474-6842
mkienenb@arsc.edu http://www.arsc.edu
