J.H.M. Dassen (Ray) wrote:
On Tue, Dec 02, 2003 at 13:35:51 -0600, Micah Anderson wrote:
Previous kernel security holes have been treated with a lot more
"transparancy" and communication than this one was, I am disappointed that
this one wasn't.
I fail to see how this was treated with less transparency than previous
holes. The only difference I see is that with previous kernel security holes
like the ptrace one, the kernel developers recognised the security
implications of a coding bug almost immediately, whereas in this case it
took quite some time. That's unfortunate, but quite understandable. Mistakes
happen.
Ray
I think, this incident is a nice lessons learned for everyone. A found
coding bug can always have security implications as there will always be
someone ingenious enough to create an exploit of it. We all know some
bigger software company telling its costumers, that some coding bugs are
not that critical until the next worm / email virus appears...
If the behaviour of a piece of code cannot be predicted under any
circumstances it represents a risk. And I would even say that in the
real world we will never find anything that is totally risk free. The
question is rather if we are willing to take a certain KNOWN risk or not.
Marcel
PS: I wanted to thank the whole debian security team and everyone who
helped putting together this very detailed and concise report about the
hacked servers.
