Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994

Paul 'Shag' Walmsley (ccshag@cclabs.missouri.edu)
Wed, 30 Nov 1994 02:53:56 -0600 (CST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Pat Myrto: "Re: In reply to comments about new policy"
Previous message: Jeon Young-mi: "Old vulnerability disclosure please? (fwd)"
In reply to: Pat Myrto: "Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994"
Next in thread: Neil Woods: "Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994"

On Mon, 28 Nov 1994, Pat Myrto wrote:

> "In the previous message, Gene Spafford said..."
> > You've been skipping your Prozac again.  Naughty, naughty!
> 
> That the best you can do?  The air must be very rarified up there on
> Snob Hill...

Yeeeow!  Looking over the stated positions of both Pat and Spaf over the 
past twenty posts, I'm having trouble finding the significant differences 
in their opinions.  

While at first Spaf seemed to come off (rather arrogantly, IMHO,
whether it was intended to be or not) against full disclosure at any point 
in time, one of his followup posts stated that he was in favor of full 
disclosure, after a period of time to allow vendors etc. to work on a fix.

Pat seemed to make the same point - that full disclosure was a Good Thing 
as long as people had a week or so to close the hole in some way.

So what are we disagreeing on, now?  If you're both pro-full disclosure, 
are you differing on the amount of time between the problem announcement 
and full exploit details?  Are we all just flaming each other for the 
hell of it?

While I'm typing: personally, I'm in favor of full disclosure, for the
following reasons: 

  - I've learned quite a bit about security holes from knowing where 
others have made security mistakes.  I know of others, both crackers and 
sys admins, who also have learned more about writing secure programs via 
full disclosure - we shouldn't restrict knowledge just because it has the 
'possibility' of falling into so-called 'bad hands' - we are doing 
ourselves as much of a disservice. 

  - Full disclosure allows many people to analyze holes to determine if 
they are present elsewhere in the system, as opposed to merely trusting 
the vendor's engineers or the discoverer of the bug.  I liken it to 
cryptanalysis: how do you know if an cryptographic algorithm is anywhere 
near secure without seeing the algorithm itself?  

  - Full disclosure allows third parties to issue better patches, if they 
so desire.  An example (albeit a slightly flawed one) would be 8lgm's 
patch for SunOS bin/mail.  

  - I do believe that vendors respond much more quickly to a 
'full-disclosure' alert than a more suppressed one.  For example, if I 
was an OS vendor and someone released a 'censored' security alert about 
my suid_exec, for example, I would assume that I could take my time 
releasing a patch if the method for exploiting that hole would not be 
widely known.  On the other hand, if I knew that someone was going to 
come back in a week or two and post exploit info, I'd make that patch a 
high-priority release!  

- Paul "Shag" Walmsley <ccshag@everest.cclabs.missouri.edu>
  "The only difference between myself and a madman is that I am not mad."
       - Salvador Dali

Next message: Pat Myrto: "Re: In reply to comments about new policy"
Previous message: Jeon Young-mi: "Old vulnerability disclosure please? (fwd)"
In reply to: Pat Myrto: "Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994"
Next in thread: Neil Woods: "Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994"