On Tue, May 27, 2008 at 01:45:25AM +0200, Klaus Ethgen wrote: > Am Di den 27. Mai 2008 um 1:09 schrieb Colin Watson: > > On Thu, May 15, 2008 at 09:15:57AM -0700, Mike Bird wrote: > > > The rollout of information and updates was appalling - even adding in > > > the material from Ubuntu the information was piecemeal and inadequate > > > to properly secure systems within the limited time before crackers > > > might be expected to have exploits. > > > > I think part of the problem here was that the coordinated release date > > for the advisory was simply too soon after the relevant parties were > > notified. > > Ehem, is it your idea of security to make it secret (like Microsoft do > often)?
Well done; a straw man combined with an implication of an ad hominem. That always really impresses me. > It is never ever a good idea to make security issues secret or > protracting it. > > And in this special case it was easy to fix the problem very fast when > the advisory cames out. Let's say you'd been asleep at the time, and the advisory had laid out everything necessary to make it trivial to produce an exploit (it could easily have been much more explicit than it was, and even with limited information it only took a day and a half to produce an exploit; a couple of hours would not at all have been out of the question). Would you still feel the same way if your accounts had been compromised? If we had released any sooner, the OpenSSH blacklisting support would not have been available, and every system administrator would have had to figure out what was going on by hand rather than have the upgrade automatically deny attempts to exploit this vulnerability. If we had released later, a number of flaws in the blacklisting support could have been fixed, alleviating a great deal of confusion among system administrators (I spent considerable time that week supporting people confused by the new tools), and I doubt it would have made much if any difference to exploit production. > > but I think an extra day or two on the embargo period would very > > likely have produced a better result. > > It is never a good idea to set a embargo period for a security issue. > This is more valid for the scope of this big security problem! If it had been released without an embargo, many more systems would have been compromised, and (given the severity) it's entirely possible that somebody would have managed to write a worm that took advantage of this to seriously damage Internet infrastructure. It's as simple as that. We used the embargo period to develop tools to help system administrators defend themselves, not to sit in a smoke-filled room gloating that we knew a secret and you didn't. I believe wholeheartedly in full disclosure of all security problems. Nothing else ultimately makes sense, particularly in the free software world. That doesn't mean I think we have to actively help the black hats; a few days of advance notice is just about all the advantage we have, and we desperately need to make good use of it. > All together I must say it was very professional and fast how the debian > security team and other had done the treatment of the problem. Don't > lower them by arguing with snakeoil about that the reaction was to fast! > It can never be fast enough. Note that I was myself heavily involved in producing some of the fixes that went out in Debian security advisories. If the people directly involved are not entitled to make comments on the process, who exactly do you think is? I think everyone involved did a wonderful job, especially given the appalling constraints they were under. There is a difference, though, between acknowledging the excellent work that was done and burying one's head in the sand claiming that nothing could possibly have been improved. Cheers, -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
