--On Wednesday, September 16, 2009 06:08:50 -0500 Jerry <ges...@yahoo.com>
On Tue, 15 Sep 2009 23:47:10 -0700
Jerry <ges...@yahoo.com> wrote:
> Waiting until someone is harmed is tantamount to being an
> accomplice to the act.
And providing details of a currently-undefendable vulnerability
to a black hat who did not previously know about it, thereby
enabling the black hat to perpetrate harm that would otherwise
not have occurred, isn't?
The simple act of publishing the fact that a know exploit exists for a
given program compromises nothing. Example:
WARN: The following program(s) have known exploits.
PROGRAM VERSION: 2.4
EXPLOIT: Potential to render HD inaccessible
PATCH: NONE AVAILABLE
SUGGESTION: If prog-name is not imperative to system
performance, remove it and consider using a similar
product by another author.
A simple solution that affords the end user the right to make an
informed decision. I realize that governments, especially
socialistic/fascists ones use the terms 'censorship' and 'secret' with
the term 'For their own good' interchangeable. I would hate to see the
open-source community, especially FBSD embracing that philosophy.
Are you really serious? What you posted (your example) does absolutely no good
for the average user. What are you going to do? Stop using the program? And
how can you possibly make an "informed decision" when you know nothing other
than the fact that something is wrong?
OTOH, it's all an attacker needs to start digging around and successfully break
Think about this. A guy wants to find a pot of gold. He goes to a field and
finds 12,000 pots. Where does he start? Along comes someone who believes in
"freedom of speech" and says, "Well, I don't know where the gold is, but that
pot over there is a good place to look. I happen to know that it was put there
recently and there was a lot of secrecy surrounding it."
Or an attacker approaches a seemingly impenetrable castle, trying to figure out
how to defeat the army inside. He knows he's going to have probe every area
and lose many men in the process in order to find a weakness he can exploit.
Then one soldier, believing in "freedom" sends them a message that there's a
weakness on the north face of the wall. He doesn't tell them exactly where,
but he's managed to focus their efforts on the area most likely to allow them
to breach the wall and defeat the army inside, he's reduced the attacker's
efforts by three fourths and reduced their losses as well.
You clearly don't understand the advantage that hackers have over the average
Rather than censorship, how the FreeBSD team handles issues like this is good
stewardship. They have a responsibility to the community to protect them.
They do that by not irresponsibly trumpeting known weaknesses before a solution
is available to the end users.
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
email@example.com mailing list
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"