[ale] [Flame] A Disservice to the Linux Community

Keith Hopkins hne at inetnow.net
Sat Nov 3 13:53:15 EST 2001

Herman Knief wrote:

 > Having been in the computer ans specifically the sysadmion business for a good number of years, I am glad to see that the information about this bug was withheld...
 > Yes, more people could have been looking at it, including those who would do malicious things if given the opportunity.  How many machines do you think were saved by not letting everyone know that there was a hole here?  Think about that for a minute.  No, it's not about commercialism, it's about common sense and doing what you can to protect people's vested interests in Linux itself, and the businesses that people like myself have built using Linux as a platform.  It's not just about a security hole, you also have to look at the type of security risk.  If it's a local
 > expoit, yes, let the world know.  If it's a remote exploit, you have to be a little more conscious about your actions and the potential consequences of those actions.  I am quite sure that the people involved considered whether or not to make this public.  There was probably also consideration given to "how easy to exploit" this problem was.  If anyone was really trying to hide something, I am sure that nothing would have been said at all, and unless someone does a thorough audit of the code itself, change notes themselves would not have given anything away.
 > Personally I commend SuSE and the other distro's for trying to protect my interests, and I'm sure the people who know the code best (e.g. people like Alan, Nikita, Roman and others) were closely involved in generating the fix for this.  I thnka them for doing the responsible thing.
 >  - Herman
 > Ray Dillinger wrote:
 >>On Sat, 3 Nov 2001, Peter Nixon wrote:
 >>>On Sat, 03 Nov 2001 21:23:55 +0900
 >>>Keith Hopkins <hne at inetnow.net> wrote:
 >>>>Greetings to those at linuxsecurity.com,
 >>>>In regards to http://www.linuxsecurity.com/advisories/suse_advisory-1680.html, there is a note that read....
 >>>>     The information about this problem was withheld from the public
 >>>>     in coordination with other Linux vendors/distributors in order to
 >>>>     give the distributors enough time to update their kernel packages.
 >>>>     We find that this coordination is beneficial for the community,
 >>>>     while we regret that the bug could not be fixed in time before the
 >>>>     other distributor's kernel updates.
 >>>>How dare you.  I consider this to be a great disservice to the Linux community.  Linux is not about the vendors/distributors.  They are not the only ones out there with interests in security problems being fixed.  By withholding information, you take away untold number of eyes that could be looking at the problem.  Some of those eyes may even be better equipped to handle the problems than the vendors/distributors themselves, and can do so in a more timely fashion.  You have produced an unnecessary window of opportunity for malicious attacks against unprotected systems.
 >>>You sir are an idiot.
 >>>What we are talking about here is a pretty major bug in the Linux kernel.
 >>>Linux is now a mainstream product that is used comercially in many major organisations.
 >>>SuSE have done the responsible thing by giving the other comercial distributions a limited window in which to bring their distros up to date.
 >><snip ad hominem attack>
 >>>Feel free to speak again when you have something productive to offer
 >>He did offer something productive.  You flamed him for it.  Linux
 >>security is NOT based on ""commercial manufacturers" -- Microsoft's
 >>security is. Linux is not secure because bugs are hidden, ever. It
 >>is secure because when bugs become publicly known, there are hundreds
 >>of times more people who want to fix them than there are who want to
 >>develop exploits.
 >>While I agree that the choice of whether and how to reveal a bug is
 >>up to the person or people discovering it, every day it went unfixed
 >>because of you withholding information was another opportunity for
 >>a crack to be developed.  When you held it back, maybe a few dozen
 >>people were working on it.  Had you released it, a few hundred would
 >>have tried to exploit it -- which overwhelms the puny effort that
 >>distribution builders or any commercial providers can make -- but a
 >>few *thousand* would have tried to fix it first, which overwhelms the
 >>efforts of the crackers.
 >>Linux security is because of the community, not the distribution
 >>packagers.  That is why it is better than commercial products, and
 >>only as long as it continues that way will it remain better than
 >>commercial products.
 >>                        Bear

To Mr. Knief & Mr. Link,

    Thank you for your well considered words.

To Mr. Dillinger,

    Thank you for your input.  I think you at least saw the point I was trying to make.

To linuxsecurity.com,

    My apologies for giving credit or laying blame to where it was not due.  Might I suggest you add a small banner on the page indicating it is not an original work?  I simply followed the "Contact Us" link at the bottom of the page to deliver my feedback.

To all those on the lists,

   Sorry for the interruption, this channel will go back to it's regularly scheduled programming.

Opinionated as always,
    Keith Hopkins

This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list