On Tue, 02 Dec 2003 13:12:40 -0600, Alex Malinovich wrote: > On Tue, 2003-12-02 at 11:31, Greg Folkert wrote: >> Shoulda Been: >> http://lists.debian.org/debian-announce/debian-announce-2003/msg00003.html >> >> What a wanker I am. No, Peter no comment needed. >> >> On Tue, 2003-12-02 at 11:08, Greg Folkert wrote: >> > >> http://lists.debian.org/debian-announce/debian-announce-2003/msg00003.htmlDebian > > Thanks for the link. It certainly makes for interesting reading. Though > I am somewhat concerned about the following bit from the message: > > "Please understand that we cannot give away the used exploit to random > people who we don't know. So please don't ask us about it." > > I'm afraid I'm part of the group that just doesn't understand. This > snippet reeks of security through obscurity for me. If the hole has been > identified and, presumably, fixed, why not tell people about it?
Ther is always a conflict between security and openness. MS's approach has always been not to say anything until a fix has been propagated; they are often criticized for that, but I'm sure they'd be deluged in lawsuits from compromised system owners if they advertised the exploit to bad guys before they had a fix. In this case, the exploit is still an issue for those who have not yet applied a fix. So to publish the exploit code itself is to expose many debian systems to needless risk. Well, that's the way I see it, anyway. -- ....................paul "Reports that say that something hasn't happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns - the ones we don't know we don't know." - Donald Rumsfeld, US Secretary of Defense, Winner of British Plain English Campaign's 2003 "Foot in Mouth" award. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
