On Thu, 18 Feb 1999, Theo de Raadt wrote: > > People who publish bugs/exploits that are not being actively exploited > > *before* giving the vendor a chance to fix the flaws are clearly > > grandstanding. They're part of the problem -- not the solution. > > No. The problem is badly written code. > > It takes me about 2 minutes to find bugs in security related software. > > I am assuming that I'm not the only person looking for these kinds of > bugs. > > The REAL problem is software package maintainers who do not proactively > audit their software. It is also downright rude to maintainers, regardless of whether or not they proactively audit. Something can always be missed, and there is no reason to open X number of systems up to an unknown bug before there is any kind of a patch available. If an exploit is being actively exploited, then YES, information should be as widely disseminated as possible. If one is picking through the code and sees something funny that may be exploitable, it IS nothing more than grandstanding when announced without a fix. If someone can hack code well enough to recognize flaws, they can hack out a preliminary patch (esp. with free software, obviously the vendor should be given a reasonable time period (note: 24 hours is not reasonable) with closed source software) that can at least give people a heads up if the maintainers choose to ignore it. I thought everyone just wanted to make software more secure, not gain the undying admiration of script kiddiez and d00dz everywhere. It's NOT THAT HARD to send a bug report in to a maintainer. When these things come to BUGTRAQ they have to filter through secondhand to dev teams, which is NOT the way to get secure software. It only encourages more exploitation of innocent systems. I'm off-topic. Sorry. -- <http://www.psnw.com/~posterkid/keys/> for DSA/ElG-E/RSA keys DSA 0x0A641AA5:0B1E 37B7 ECCB FC96 B6C6 7242 0A59 F8D5 EFA9 4F81 RSA 0x4E65C321: 42 57 B3 D2 39 8E 74 C3 5E 4D AC 43 25 D2 26 D4
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:36:31 PDT