On Tuesday, 28 July 1998, at 13:14:30 (-0600), Theo de Raadt <deraadtat_private> wrote: > Said the pot to the kettle. > > Go at it -- if you don't run OpenBSD, you have a couple hundred extra > /tmp races to deal with. > > Does this sound like a change in topic? I don't think so. We have > done tons to improve localhost security (races, protocols, not just > buffer overflows like most other people fix). But there will always > be crashes. Sorry. We Do What We Can. We really don't expect to be > mauled to death when some little crash gets reported. Here you and I are in absolute, 100% agreement. OpenBSD has done huge amounts of work to improve security, and I doubt if anyone on this list would deny that. We also know you're human. We all are, and we all make mistakes. I've only seen one below-the-belt attack on the OpenBSD folks in this thread, and it was uncalled-for. We as the security community should be able to publicize exploit information without making pointless editorial comments about who screwed up and how badly. Everyone makes mistakes, and they should be given the opportunity to fix it. That doesn't, however, remove the need for announcements to lists like this one. My point is simply that the information should be supplied without excessive editorialization. > Sorry, but I must continue to disagree about the relevance of this > entire issue to bugtraq. Question: What have you learned now that > this crash report has turned into 20 bugtraq postings, half of them > posted after a fix for the problem was available? > > Shall we have a similar discussion the next time we find a way to crash > the system? Perhaps not, but the need for the discussion remains. Often Aleph One summarizes all the "this-OS-is-vulnerable" and "this-one-isn't" posts into one, which is probably a good practice. (As if he didn't have enough to do already....) :-) But I stand by it being an exploit and having a place on this list. > Are these crashes really that much more interesting than completely > new issues like www.openbsd.org/errata.html#fdalloc, which affect > every single operating system, and yet did not get discussed on > bugtraq? Not at all. All it takes is one post. Perhaps a post needed to be made (before you posted the URL anyway...now the info is out there). But that *still* doesn't change the fact that local-user-compromises should be taken seriously. Michael -- "The breakup was mutual, but it was more mutual on my part." -- Beth O'Hara ======================================================================= Michael Jennings http://www.tcserv.com/ <mejat_private> Senior Systems Engineer, Synectics, Inc. http://www.synectics.com/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:09:06 PDT