Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Security Censorship

Hacker Leaks Unreleased CERT Reports 379

Posted by chrisd from the certain-errors-remain-tolerable dept.
Call Me Black Cloud writes "A hacker calling himself "Hack4Life" swiped 3 unpublished vulnerability reports from a company working with CERT and posted them to the Full Disclosure mailing list. A couple of days later, he did it again (while promising weekly leaks). Wired also has a story, including a link to one of the postings."
This discussion has been archived. No new comments can be posted.

Hacker Leaks Unreleased CERT Reports More

Hacker Leaks Unreleased CERT Reports

Comments Filter:

  • A little bit ironic (Score:5, Funny)

    by OptimizedPrime ( 558992 ) on Tuesday March 25, 2003 @12:10AM (#5588745)
    Its a little too ironic if he's using the leaks in the reports he steals....

  • Bet he works for ISS (Score:4, Funny)

    by essdodson ( 466448 ) on Tuesday March 25, 2003 @12:13AM (#5588768) Homepage
    With the way ISS handles things I bet they're after this guy.

    Otherwise... $5.00 says he works for ISS... any takers?

    • I don't think this guy works on the International Space Station............

      That's how I read your comment....
      • If he is up there, it'll be hard for anyone to get at him... ... then again, they probably could just leave him up there, and after a few months the problem would just sortof take care of itself.
        • If he is up there, it'll be hard for anyone to get at him... ... then again, they probably could just leave him up there, and after a few months the problem would just sortof take care of itself.

          Why does that remind me of:

          So um, Milton has been let go?

          Well just a second there, professor. We uh, we fixed the *glitch*. So he won't be receiving a paycheck anymore, so it will just work itself out naturally.

  • FD and Bugtraq (Score:5, Informative)

    by jmays ( 450770 ) on Tuesday March 25, 2003 @12:13AM (#5588772)
    If you enjoy Bugtraq and can put up with the occasional flame war ... FD is an awesome list. FD Charter [netsys.com]

  • Maybe it's an inside job. (Score:5, Insightful)

    by no reason to be here ( 218628 ) on Tuesday March 25, 2003 @12:14AM (#5588778) Homepage
    Maybe someone that's upset with the way CERT is doing things...
    or maybe someone joined CERT just so he/she could play uberhacker.

    • Re:Maybe it's an inside job. (Score:5, Insightful)

      by indiigo ( 121714 ) on Tuesday March 25, 2003 @01:05AM (#5589021) Homepage
      CERT is a joke, they announce security vulns days late, often skipping arbitrarily vulns that are on a massive scale. Unsubscribed a year ago.
      • If CERT is a joke, why does DoD use them as one of their many early-warning "front-line" defenses against viruses and worms? Is something happening here or am I just dreaming? Shouldn't something DoD-level be secure enough from the social engineering perspective to be admired not regretted?
        • Perhaps the DoD is on a different list, but the lists I was on I would get updates at least a day or two after known exploit, or nothing at all. I don't care about priorities, I need to know if a system I run is vulnerable, and It wasn't cutting it.

        • Re:Maybe it's an inside job. (Score:3, Interesting)

          by Anonymous Coward
          If CERT is a joke, why does DoD use them as one of their many early-warning "front-line" defenses against viruses and worms? Is something happening here or am I just dreaming?...

          Certain organizations do use CERT for front-line information, but not necessarily for the front-line you envision. Certain assets (capabilities in this case) diminish in value as knowledge of their existance propagates. The value in CERT is knowing who knows something, since we're often well beyond what someone knows by the time

  • Coffee (Score:5, Funny)

    by webword ( 82711 ) on Tuesday March 25, 2003 @12:14AM (#5588780) Homepage
    I drink too much coffee. I leak several times per day.
    • Nosy Robot: Sir, are you aware that you're leaking coolant at an
      alarming rate?
      Fry: Uh ...
      Nosy Robot: Well, let me just patch you up with some hot resin. [he
      holds the gun up so Fry can see it]
      Fry: I think the leak's stopping itself. [it doesn't]
      Wait, wait ... [long pause] ... yeah, there we go. Wait ... there.
      Nosy Robot: [accusing] What sort of robot turns down a free blast of
      searing hot resin?
      [Fry is s

  • Interesting to note... (Score:5, Interesting)

    by gnu-sucks ( 561404 ) on Tuesday March 25, 2003 @12:14AM (#5588781) Journal

    What is interesting to note, is that this, or these, as it may be hackers are /releasing/ the truth.

    Not defacing web sites, hacking student DB's, etc.

    Is truth the new hack of the future?

    • If we was releasing truth of some worth, perhaps, but these aren't the Pentagon Papers, people, these are silly vulnerability reports for programs.

      • ...these aren't the Pentagon Papers, people, these are silly vulnerability reports for programs.

        Fair enough. However, the Pentagon Papers don't have an immediate effect on me. Knowing there is a known exploit in my infrastructure that I need to guard against has a direct effect on my job / livelyhood.
    • There's a reply to this that is so obvious, that I'm going to leave it to your imagination.

    • Re:Interesting to note... (Score:5, Interesting)

      by madmarcel ( 610409 ) on Tuesday March 25, 2003 @12:27AM (#5588850)
      Hmmm...I vaguely remember a hacker releasing blueprints/plans/files for a rocket or somesuch a while back...

      The idea is not unique, and is to be applauded, consider hacking into CNN's network and releasing what they are NOT showing on TV!

      This could get out of thand though....
      "Truth is a noble cause" -> "HACK THE PLANET!" ;P

      • -consider hacking into CNN's network and releasing what they are NOT showing on TV- Why not just go here: http://www1.chinadaily.com.cn/news/index.html http://www.globeandmail.com/ http://news.bbc.co.uk/ It's easier than breaking the law..

    • Re:Interesting to note... (Score:5, Insightful)

      by RLiegh ( 247921 ) on Tuesday March 25, 2003 @12:50AM (#5588956) Homepage Journal
      When truth is outlawed; only outlaws will tell the truth.
      • I know this is being pedantic, but 'truth' can't be outlawed any more than 'cold' can be outlawed.
      • When truth is outlawed; only outlaws will tell the truth.

        That .... is .... sickening.

        God, I hope you're wrong, but we seem to be heading thataway.
    • Just like in the CCG Netrunner. Your a hacker trying to liberate the agendas of the evil corperations to try to prevent them from taking over the world.

  • Double-edged sword? (Score:5, Interesting)

    by Raven42rac ( 448205 ) on Tuesday March 25, 2003 @12:17AM (#5588790)
    This is both good and bad. Good, in the sense that more people will know about these vulnerabilities. Bad, in the sense that more people will know about these vulnerabilities. In my opinion, the only time security vulenrabilities should be released publicly is when they are fixed. Otherwise, teenage script kiddies worldwide will launch attacks on everything and everyone. It is unreasonable to expect all code to be completely secure, it is just flat out impossible. However, when new vulnerabilities are found, they should only be disclosed to those who have the capacity to fix them, and not to the public, whose only reaction will be panic. Comments?
    • In my opinion, the only time security vulenrabilities should be released publicly is when they are fixed. Otherwise, teenage script kiddies worldwide will launch attacks on everything and everyone.

      Keep in mind that pretty much by definition, "script kiddies" won't be doing much with a new vulnerability, as their sole skill lies in being able to run someone else's code. Most new vulnerabilities either aren't exploited for months (vendor patch or no), or if they are, the exploit certainly isn't public know

    • Re:Double-edged sword? (Score:5, Interesting)

      by AlexCV ( 261412 ) on Tuesday March 25, 2003 @01:02AM (#5589006)
      Maybe so, but a good kick in the ass of the CERT and the vendors can help speed things up. When an advisory has been in the pipe for a while and is only scheduled to be released in 3-4 months, clearly vendors are a bit lenient in fixing their bugs. Next thing you know the CERT cycle will be 12 to 18 months...

    • Re:Double-edged sword? (Score:5, Insightful)

      by lamontg ( 121211 ) on Tuesday March 25, 2003 @01:10AM (#5589050)
      define "the public" and "those who have the capacity to fix them".

      I have the sources to the operating system that I prefer to run and all the apps that run on it. I am a unix system engineer of quite a few years experience now. I know how to program C with about 13 years of experience there. I believe very firmly that I am in the category of "those who have the capacity to fix them". I am not, however, in the inner circle of those who get early access to CERT security information.

    • Re:Double-edged sword? (Score:5, Insightful)

      by legLess ( 127550 ) on Tuesday March 25, 2003 @01:22AM (#5589107) Journal
      Quothe the poster:
      In my opinion, the only time security vulenrabilities should be released publicly is when they are fixed. ... However, when new vulnerabilities are found, they should only be disclosed to those who have the capacity to fix them, and not to the public, whose only reaction will be panic. Comments?
      You're making a dangerous and unwarranted assumption: that "white hat" hackers find vulnerability information before "black hat" crackers. This is not the case. If one person can discover a security flaw, so can another, and a cracker intending to use his knowledge for ill is certainly not going to report it to CERT.
      Otherwise, teenage script kiddies worldwide will launch attacks on everything and everyone.
      Script kiddies are not the problem. Sure, they might 0wn a couple Windows machines, but their very lack of subtlety is what makes them a second-rate danger. The scary crackers are those that find a single, important flaw themselves and rapidly use that information to compromise systems for their own gain, never telling anyone else. It's well-documented that most digital corporate break-ins are not brought to the attention of the authorities or the security community, so Joe Scary Cracker can continue to use his exploit until a white hat finds it.

      Finally, let's use a non-digital example. If (e.g.) Consumer Reports found a flaw in a popular child car seat that could cause severe injury to a child, which path would you prefer they take:
      1. Notify the manufacturer, then wait for said manufacturer to discover a fix and write a press release.
      2. Loudly notify the entire world so that parents can reduce the risk themselves.
      In the above case, the only reason to delay is to protect the manufacturer, so the analogy isn't perfect. Home burglar alarms would be a better analogy, but less vivid.

      For many people charged with security, this is an easy question: they want all possible information on vulnerabilities the second that someone discovers them. They can shut off services, craft firewall rules, compile in patches, write their own damn patches. The worst-case scenario for them is that their systems are afflicted with a vulnerability that anyone else but them knows about.

      Besides, here's the elephant in the living room that no one wants to address: if one person can somehow acquire this information and post it to a public list, another person can use the information for ill gain. One of these vulnerabilities wasn't due to be announced 'til June?? That's a long fucking time for (e.g.) your bank's online transaction processor to be vulnerable.

      Disclose early; disclose often. Anything else multiplies the risk for the people who can least afford it.
      • Two problems with your proposed method:

        1. The non-digital example. The "fix" for the flaw in the child seat is something ANYONE can address by replacing the seat. Software frequently isn't able to be "fixed" that easily, much less by 100% of the user base. An app is one thing, something buried in the OS...

        2. The worst case is NOT that anyone else but you may know about it. The worst case is everyone and their dog can use the hack with the click of a button. Look at your weblogs some time. What hacks

      • Re:Double-edged sword? (Score:5, Insightful)

        by Alex ( 342 ) on Tuesday March 25, 2003 @04:00AM (#5589584)

        Finally, let's use a non-digital example. If (e.g.) Consumer Reports found a flaw in a popular child car seat that could cause severe injury to a child, which path would you prefer they take:

        What usually happens in this scenario is that parents remove the childs seats in blind panic and as a result 10x more kids are killed by seatbelts and not being in carseats than would have been killed by the carseats.

        Lucky we removed those car seats isn't it?

        Alex

      • Finally, let's use a non-digital example. If (e.g.) Consumer Reports found a flaw in a popular child car seat that could cause severe injury to a child, which path would you prefer they take: 1. Notify the manufacturer, then wait for said manufacturer to discover a fix and write a press release. 2. Loudly notify the entire world so that parents can reduce the risk themselves. In the above case, the only reason to delay is to protect the manufacturer, so the analogy isn't perfect. Home burglar alar

    • True, but if it is only disclosed to the people with the capacity to fix them, how do you know that they actually will? By making the public aware of a security vulnerability, yes, you do risk the script kiddies taking advantage of that, but it also gives those with the capacity to fix the gap a reason to.
    • If you really want security through obscurity, you should be able to get it. Quite simply, if there are a number of sysadmins who want a black box solution, then CERT should provide parallel systems, with different sets of programmers.

      One should be advertised as open-source, open-problem. The other should be advertised as security-through-obscurity, maybe open-source, but not open-problem.

      Then let the users pick. At that point, well-intentioned hackers should leave the STO code obscure, and publicize t

  • Come one.. (Score:5, Funny)

    by grub ( 11606 ) <slashdot@grub.net> on Tuesday March 25, 2003 @12:17AM (#5588791) Homepage Journal

    .. we all know who did it. Dust off those "Free Kevin" bumper stickers everyone.

  • Full disclosure link (Score:3, Informative)

    by AEton ( 654737 ) on Tuesday March 25, 2003 @12:18AM (#5588795)
    The reports this story talks about can be found at the Full Disclosure archives:
    http://lists.netsys.com/pipermail/full-disclosure/ [netsys.com];
    go to March--view by author--hack4life@hushmail.com.
  • CERT could just spend a week sending out vulnerabilities to the "ISC" group, and craft each description to be almost exactly identical, except slight differences in the ASCII. Hack4Life posts one of the different versions, and now you know who's been compromised.

    This should be 80% solved in under a week. If it takes longer than a week, and CERT keeps sending these things out and getting compromised, then they're a bunch of morons. Somehow, I don't think they're a bunch of morons.
    • Maybe not...what if he knows or is informed what they do? Or he has _multiple_ sources and notes the differences himself?

      They're looking for A, B, C, D, E, F, or G and he publishes Z.
    • CERT could just spend a week sending out vulnerabilities to the "ISC" group, and craft each description to be almost exactly identical, except slight differences in the ASCII. Hack4Life posts one of the different versions, and now you know who's been compromised
      Then cracker boy can just receive several different copies of the report and run diff himself. D'oh.
    • If two insiders are working together, then they can share information and note the plot at hand. Even more devious, why not just steal some one else information to make them look like the culprit?

      Of course, this doesn't work unless they see it coming or are extremely paranoid.

      F-bacher
      • Stealing someone else's information wouldn't make them look like the culprit, it would make them look like the victim. I don't think that CERT imagines one of their ISC subscribers is intentionally leaking this information. This is a search for a victim. Once they find the victim, so long as they can secure the victim, CERT shouldn't care too much who the hacker is.

        And sure. My idea can be defeated. It could also be improved: Certain details could be divulged only to certain members. If any of those detail

  • This won't last long... (Score:5, Interesting)

    by AEton ( 654737 ) on Tuesday March 25, 2003 @12:22AM (#5588822)
    If CERT is smart, they'll be sending slightly different reports to each vendor (and perhaps storing slightly different copies on each machine which needs them); each copy would contain different typographical errors. Since this l33t h4x0r d00d is just posting direct cut-n-pastes of the reports, they can trace the haxored machine or compromised company within days of posting. (ps: that 'brilliant' idea came to me from a Tom Clancy spy novel)

  • Is CERT doing what they are supposed 2 do? (Score:5, Insightful)

    by t0c ( 658568 ) on Tuesday March 25, 2003 @12:24AM (#5588828)
    Well are they?? I mean they are supposed 2 help security not help companies look better... I mean come on in the end we're suffering... by the time they get the advisory out some exploit is out and we have no idea there is a fault. Isn't that a bit the reverse of what CERT is supposed to be doing? Post advisories so we can protect ourselves. I don't know it's just a personal opinion and what I understand of this. It's outrageous that an organization designed to help the "world" (I put it in brackets because I really mean people who are interested in security and have to deal with it) deal with the new arisen problems in security and not hide them from us.

  • Sometimes he's a little late. . . (Score:5, Interesting)

    by Fritz Benwalla ( 539483 ) <randomregs@@@gmail...com> on Tuesday March 25, 2003 @12:24AM (#5588830)

    He released the RSA timing attack vulnerability on the 15th of March:

    To: full-disclosure@lists.netsys.com
    From: hack4life@hushmail.com
    Date: Sat, 15 Mar 2003 18:57:13 -0800

    ***** NOT FOR PUBLIC DISTRIBUTION *****

    VU#997481 - Cryptographic libraries and applications do not adequately defend against timing attacks etc. . .

    when it was discussed on Slashdot [slashdot.org] on the 13th of March:

    Once again, Slashdot turns out to be the real problem. . .

    ------

  • Hacker Ethics (Score:3, Redundant)

    by Blaine Hilton ( 626259 ) on Tuesday March 25, 2003 @12:25AM (#5588833) Homepage
    I think this brings up an interesting point related to hackers ethics. On one hand people should know about problems so they fix their machines right away, but if there is no quick fix then perhpas its a thing for a "need to know" basis. I'm interested to hear if slashdotters think this "hacker" is doing a good thing, or a bad thing.

    • Re:Hacker Ethics (Score:5, Interesting)

      by nomadic ( 141991 ) <nomadicworld@@@gmail...com> on Tuesday March 25, 2003 @01:10AM (#5589048) Homepage
      It's a bad thing. I mean, you can justify almost any crime that way ("oh, I was just testing your locks" or "oh, I was just testing police response in this area" or "oh, I was just testing human skin resistance to .38 caliber rounds").

    • From the second link: (Score:3, Insightful)

      by radon28 ( 593565 )
      "Hack4life goes on to say that all future vulnerability reports will be released at 7 p.m. on Friday "to give hackers the maximum amount of time to actively exploit the vulnerability before sys-admins, CERT and vendors can act to patch the issue on Monday morning after their weekend off."

      You tell me. Is this a good thing, or a bad thing?
    • As far as Hacker Ethics go, this one lands smack dab on freedom of information.

      I personally love it, the Robin Hood style rob information from the rich, give it to the poor.

      Its really the greatest justification for the hacker/cracker subculture. (lets face it, NO ONE is going to say cracker, the term is used)

      Ya, i do understand the postion of the company, but hell, there has to be a better way of dealing with vuln.

    • There may be no quick fix but there is always a quick workaround. The cure might be worse than the disease but that's a call for my organisation to make on the basis of our business needs, not CERT or Microsoft or the government or anyone else. Therefore I demand full disclosure. The last thing I want is to be 0dayed while someone sits on the vulnerability waiting for some slowass vendor to get their shit in order. Besides, I have the sources to all my software; I don't need any fucking vendor to fix it

  • Inherent problems with CERT (Score:5, Insightful)

    by jaywhy ( 567133 ) on Tuesday March 25, 2003 @12:26AM (#5588841)
    I've never liked the fact that CERT was more or less an exclusive security club. It's obvious that hackers monitor the mailing list and know the vulnerablities before majority of everyone else in the world.

    CERT should instead, stick with helping behind the scenes coordination between security agencies like eEye and software companies; and should stop publishing unfixed problems to a CERT's underground mailing list.
    • I've never liked the fact that CERT was more or less an exclusive security club.

      CERT/CC is not an exclusive club. You can join via the Internet Security Alliance [isalliance.org] and get early access to vulnerability information (at least that is what the press reported when ISA was announced). As a result, quite a few people refuse to cooperate with CERT/CC these days.
  • Could this have been an inside job?
  • What concerns me is that one of the vlunerability reports released by this guy wasnt schedualed to be released until June... JUNE??? What the hell are they going to wait till June for. Cant the vendor get their act together before then? This is why we need bugtraq so bad.. IMHO they should get 3 or 4 weeks max to fix the problem otherwise it gets released. If there is even a hint its being exploited on the net it should be released immediatly, fix or no fix.

    Malice95

  • I would agree, but... (Score:5, Interesting)

    by Sandman1971 ( 516283 ) on Tuesday March 25, 2003 @12:54AM (#5588971) Homepage Journal
    I was somewhat torn on the issue until I read "I'm going to release these at 7pm on Friday, so that sysadmins don't know about this and can't do anything about this til Monday morning" (paraphrased).

    Any inkling of having me agree with posting these advisories just went out the window with this one. He's not trying to help anyone by divulging these, except for maybe script kiddies and crackers. With such a statement it's obvious he's not trying to help vendors release a quicker fix.

    • Re:I would agree, but... (Score:5, Funny)

      by Shanep ( 68243 ) on Tuesday March 25, 2003 @01:17AM (#5589078) Homepage
      "I'm going to release these at 7pm on Friday, so that sysadmins don't know about this and can't do anything about this til Monday morning" (paraphrased).

      What I'd like to know, is what real sys admin is NOT glued to multiple consoles at 7pm on a Friday?

      That's about the start of the week when real work can get done!

      • Bah, I'm a sysadmin and you won't find me glued to consoles at 7pm on a Friday, unless I'm on pager and something breaks. I much prefer spending my weekends with my gf and/or friends.

        There must be a balance in life... cuz in the end, what was it all for? Your servers and your bosses won't be at your bedside when you're really sick and/or dying. But family, friends and loved ones will.

        (Damn, I have been watching way too much SouthPark :P )

        • Re:I would agree, but... (Score:3, Interesting)

          by Shanep ( 68243 )
          I much prefer spending my weekends with my gf and/or friends.

          Some sys admins love their work too much I guess. I took care of a stock exchange backup network, worked crazy hours, usually 6 days a week, and actually loved it...

          until the politics changed and realistic, learned management who'd worked their way up in the industry, were replaced with some completely clueless non-IT management who managed to cause almost every IT staff member to leave within months (some of the most incredibly gifted IT peop
    • Ya know, I thought it was just me, but every dos attack/hack attempt I have seen against my servers has been on friday night or on weekends. Assholes. I work my ass off all week, and I want to relax on the weekend.
  • It's the sound of every sysadmin on Earth switching to BSD!

    • Obvious Result (Score:5, Insightful)

      by Ryvar ( 122400 ) on Tuesday March 25, 2003 @01:41AM (#5589174) Homepage
      If everyone switches to BSD then most of the vulnerabilities found will be for BSD. No OS is flawless, not OpenBSD nor any other - OpenBSD gets more attention than the other BSDs as far as security is concerned in all probability because of their security stance, but there's still a hojillion (I use that term strictly in the technical sense) bugs in there.

      That's not to deride Theo & crew's accomplishments - they've done amazing work, look at how few bugs are found in OpenSSH relative to how incredibly widespread it is - but it is practically impossible to write perfectly secure code that operates at anything like a reasonable speed for the x86.
    • RTFA -- from the Sun RPX XDR libraries notice:
      "BSD-derived libraries with XDR/RPC routines (libc)"

      Don't think your safe just because your OS make you feel that way. Patch now! Patch Often!

      I don't follow true BSDs so I don't know if there is actually a fix for OpenBSD or FreeBSD. My linux boxes are patched. I assume my OS X boxes are vulnerable as well. Don't assume because your OS is great for you, that it's secure and you don't need to be concerned about patches. Read up on what was released so y

  • A modest proposal (Score:5, Funny)

    by kuhneng ( 241514 ) on Tuesday March 25, 2003 @01:02AM (#5589010) Homepage
    Store the Windows vulnerabilities on a Windows server, Linux vulnerabilities on a Linux server, etc.

    That might take the edge off some companies' complaints about vulnerabilities leaking out before the clock is up.

  • How does CERT secure its servers? (Score:4, Interesting)

    by mabhatter654 ( 561290 ) on Tuesday March 25, 2003 @01:15AM (#5589070)
    If they store unreleased information on non-complete patches, how do they secure their system?

    Moreover, if their vendor doesn't patch their system quickly, how are they ever going to stop this guy if he always knows what's broken next?

    Catch-22 isn't it!

  • When the jail system is done with him... (Score:3, Funny)

    by No. 24601 ( 657888 ) on Tuesday March 25, 2003 @01:19AM (#5589090)
    he'll be called 'Packed4Life'.

  • That vulnerability is a simple buffer overflow. RedHat had a patch out for it in less than a day. This whole 'wait for the vendor to fix it' thing just results in lazy vendors.

    And, as the army breakin shows, the 'bad' guys often have the information whether or not the 'good' guys even know it. There are many script kiddies out there, but there are a few really intelligent people who can do their own research, and won't bother telling CERT before they go and exploit the vulnerability.


    • That vulnerability is a simple buffer overflow. RedHat had a patch out for it in less than a day. This whole 'wait for the vendor to fix it' thing just results in lazy vendors.

      That would be because Red Hat and others took advantage of the time CERT takes from vendor notification to general release. This is exactly what CERT is trying to do - release the vulnerability info at the same time vendor patches are ready.

  • Hack4Life? (Score:4, Funny)

    by x136 ( 513282 ) on Tuesday March 25, 2003 @01:48AM (#5589198) Homepage
    <voice type="Comic Book Guy">

    Worst. Hacker name. Ever.

    </voice>

  • localhost? (Score:4, Funny)

    by Kaa42 ( 137049 ) on Tuesday March 25, 2003 @03:37AM (#5589519) Homepage

    Hum, look at the references section

    ...
    6. http://www.kb.cert.org/vuls/id/192995
    7. file://localhost/XDR.html#vendors
    8. http://www.kb.cert.org/vuls/id/516825
    ...

    localhost!? They're obviously already using the vulnerability to put files on my computer.

  • How do you define when a vulnerability is fixed? (Score:5, Interesting)

    by Skapare ( 16644 ) on Tuesday March 25, 2003 @03:45AM (#5589544) Homepage

    How do you define when a vulnerability is fixed, at least for the purpose of determining when to go public with it? Consider a vulnerability in some shared and widely used and distributed library such as OpenSSL or Zlib. Potentially you could say it is fixed as soon as there is a source patch. But that doesn't really make it universally available. Armed with the patch, the vulnerability may well become obvious, yet most systems which are installed and maintained in binary code remain vulnerable. Should things wait until the distributions package the fix? How many have to wait for the others?

    And what if the same vulnerability exists in more than one implementation because of things like code re-use, or a flaw in a protocol that can be dealt with in the code anyway? Suppose OpenBSD fixes theirs in 2 hours and NetBSD fixes theirs in 5 hours and FreeBSD fixes theirs in 9 hours and Slackware fixes theirs in 15 hours and Debian fixes theirs in 24 hours and SuSE fixes theirs in 36 hours and Redhat fixes theirs in 60 hours and Microsoft Windows fixes theirs in 10 days (hypothetical times chosen arbitrarily)? Would it be OK for OpenBSD to go ahead and blast their security mailing list with the fix when it's done? Or should everyone have to wait until the stragglers get their act together?

    IMHO, vulnerabilities should be released as soon as the first vendor has a fix, or after some fixed determinate time to ensure they don't all get together to hide the problem (not that all of them would, but certain vulnerabilities may only affect a small subset of them, or even just one). Yes, that leaves the systems "supported" by the stragglers unprotected. But that should also help leverage market pressure to fixing things faster, and designing to avoid the as well.

  • Won't last long (Score:3, Insightful)

    by TheSHAD0W ( 258774 ) on Tuesday March 25, 2003 @09:43AM (#5590411) Homepage
    You know it's only a matter of time 'til CERT starts modifying their reports so each company's report is unique. Then they'll find which company's leaking them, and stop giving them information.

Slashdot Top Deals

Anyone can make an omelet with eggs. The trick is to make one with none.

Close