Pro Disclosure (was Re: UnixWare)

[ccdes () ccdes princeton nj us (Carl Corey)]

At  9:30 AM 4/29/94 -0400, der Mouse wrote:
> In many cases, the bugs come from the original BSD (or sometimes V7)
> code, and knowing this is valuable to those who are working with a
> non-vendor version derived from that same code.  But CERT never says
> anything like this; all they ever seem to say is "<foo> is a security
> hole.  The following vendors have patched versions available, here's
> where to get them.", which is useless in helping people with other
> vendor versions, or people with non-vendor versions, decide whether
> they are at risk.

I totally agree.  Reading CERTS often leave me with a question as to what
the bug is (ex:  There is a problem with rdist.  Do not allow any users to
access it. ) or where it showed up in the source.  Maybe the bug has been
in BSD since net/1 and therefore many vendors are affected.  Maybe it
popped up in DEC messing with Ultrix and therefore is a DEC-only problem.  

I like the way 8lgm released their information.  It told you how to
reproduce it to see if you're affected, and gave which systems it affected.
 If they weren't certain, they'd tell you.  ("might affect all BSD-based
program X's").  Disclosure is the key - how can you know if the bug affects
you if your system is not listed as affected unless it is listed as
definitely _not_ affected.  If you can try out the methods used to
re-create the bug, you can see if your system is affected.  You also can
figure out the best way to secure your system - you might panic and totally
remove access to a program, but you could _fix_ it because you know what to
look for- anyone can get the code to autoreply from the elm package, then
you can patch it before a new version is put out by the maintainers.  

The "next_to_last" sendmail hole (bouncing mail through pipes, not debug)
has existed through many versions of sendmail, and people have known about
it for a long time.  It ended up that someone posted a "how-to" to usenet
(actually a couple people posted how-tos) and then people were able to
figure out ways to fix the hole, or work-arounds.  Sendmail was updated
very quickly.  Imagine if the parties with the knowledge didn't publicise
it.  We'd all still have that insecurity (not to say that sendmail is
`secure' now... ) ... Bah.

Well, anyway this almost looks like a pro-disclosure manifesto.  I've had a
long night, flames to /dev/null.  (mail from:|/bin/cat >/dev/null)

cc