[266] in bugtraq
Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994
daemon@ATHENA.MIT.EDU (Paul 'Shag' Walmsley)
Wed Nov 30 15:37:55 1994
Date: Wed, 30 Nov 1994 02:53:56 -0600 (CST)
From: "Paul 'Shag' Walmsley" <ccshag@cclabs.missouri.edu>
To: Pat Myrto <rwing!pat@ole.cdac.com>, spaf@cs.purdue.edu
Cc: bugtraq@fc.net
In-Reply-To: <9411290116.AA27210@rwing.UUCP>
On Mon, 28 Nov 1994, Pat Myrto wrote:
> "In the previous message, Gene Spafford said..."
> > You've been skipping your Prozac again. Naughty, naughty!
>
> That the best you can do? The air must be very rarified up there on
> Snob Hill...
Yeeeow! Looking over the stated positions of both Pat and Spaf over the
past twenty posts, I'm having trouble finding the significant differences
in their opinions.
While at first Spaf seemed to come off (rather arrogantly, IMHO,
whether it was intended to be or not) against full disclosure at any point
in time, one of his followup posts stated that he was in favor of full
disclosure, after a period of time to allow vendors etc. to work on a fix.
Pat seemed to make the same point - that full disclosure was a Good Thing
as long as people had a week or so to close the hole in some way.
So what are we disagreeing on, now? If you're both pro-full disclosure,
are you differing on the amount of time between the problem announcement
and full exploit details? Are we all just flaming each other for the
hell of it?
While I'm typing: personally, I'm in favor of full disclosure, for the
following reasons:
- I've learned quite a bit about security holes from knowing where
others have made security mistakes. I know of others, both crackers and
sys admins, who also have learned more about writing secure programs via
full disclosure - we shouldn't restrict knowledge just because it has the
'possibility' of falling into so-called 'bad hands' - we are doing
ourselves as much of a disservice.
- Full disclosure allows many people to analyze holes to determine if
they are present elsewhere in the system, as opposed to merely trusting
the vendor's engineers or the discoverer of the bug. I liken it to
cryptanalysis: how do you know if an cryptographic algorithm is anywhere
near secure without seeing the algorithm itself?
- Full disclosure allows third parties to issue better patches, if they
so desire. An example (albeit a slightly flawed one) would be 8lgm's
patch for SunOS bin/mail.
- I do believe that vendors respond much more quickly to a
'full-disclosure' alert than a more suppressed one. For example, if I
was an OS vendor and someone released a 'censored' security alert about
my suid_exec, for example, I would assume that I could take my time
releasing a patch if the method for exploiting that hole would not be
widely known. On the other hand, if I knew that someone was going to
come back in a week or two and post exploit info, I'd make that patch a
high-priority release!
- Paul "Shag" Walmsley <ccshag@everest.cclabs.missouri.edu>
"The only difference between myself and a madman is that I am not mad."
- Salvador Dali
