--On Wednesday, September 16, 2009 06:08:50 -0500 Jerry <ges...@yahoo.com> wrote:


On Tue, 15 Sep 2009 23:47:10 -0700
per...@pluto.rain.com wrote:

Jerry <ges...@yahoo.com> wrote:
> Waiting until someone is harmed is tantamount to being an
> accomplice to the act.

And providing details of a currently-undefendable vulnerability
to a black hat who did not previously know about it, thereby
enabling the black hat to perpetrate harm that would otherwise
not have occurred, isn't?

The simple act of publishing the fact that a know exploit exists for a
given program compromises nothing. Example:

WARN: The following program(s) have known exploits.

PROGRAM:         prog-name
PROGRAM VERSION: 2.4
OS:              FreeBSD-7.2+
EXPLOIT:         Potential to render HD inaccessible
PATCH:           NONE AVAILABLE
SUGGESTION:      If prog-name is not imperative to system
                 performance, remove it and consider using a similar
                 product by another author.

A simple solution that affords the end user the right to make an
informed decision. I realize that governments, especially
socialistic/fascists ones use the terms 'censorship' and 'secret' with
the term 'For their own good' interchangeable. I would hate to see the
open-source community, especially FBSD embracing that philosophy.


Are you really serious? What you posted (your example) does absolutely no good for the average user. What are you going to do? Stop using the program? And how can you possibly make an "informed decision" when you know nothing other than the fact that something is wrong?

OTOH, it's all an attacker needs to start digging around and successfully break in.

Think about this. A guy wants to find a pot of gold. He goes to a field and finds 12,000 pots. Where does he start? Along comes someone who believes in "freedom of speech" and says, "Well, I don't know where the gold is, but that pot over there is a good place to look. I happen to know that it was put there recently and there was a lot of secrecy surrounding it."

Or an attacker approaches a seemingly impenetrable castle, trying to figure out how to defeat the army inside. He knows he's going to have probe every area and lose many men in the process in order to find a weakness he can exploit.

Then one soldier, believing in "freedom" sends them a message that there's a weakness on the north face of the wall. He doesn't tell them exactly where, but he's managed to focus their efforts on the area most likely to allow them to breach the wall and defeat the army inside, he's reduced the attacker's efforts by three fourths and reduced their losses as well.

You clearly don't understand the advantage that hackers have over the average user.

Rather than censorship, how the FreeBSD team handles issues like this is good stewardship. They have a responsibility to the community to protect them. They do that by not irresponsibly trumpeting known weaknesses before a solution is available to the end users.

--
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Reply via email to