Bugtraq mailing list archives
Re: CERT, CIAC, etc. unethical practices
From: mkienenb () arsc edu (Mike Kienenberger)
Date: Sun, 22 Dec 1996 15:06:08 -0900
By withholding information, CAIC and CERT are--in effect--shielding those sites that can't act quickly. Yes, it's security by obscurity, and yes, it isn't as safe as a fix would be, but it *is* better than widespread distribution of an exploit. It gives those system managers that don't have the time to jump on every obscure security hole, or who aren't *aware* of every security hole, to *learn* or to be told by someone in the know (such as a vendor). Yes, it leaves them open for attack longer, but it also makes it more difficult for the casual cracker to get his hands on the information and cause problems.
Most security holes can be fixed by: a) removing a setuid or setgid bit, or b) providing a wrapper that corrects the path, the environment, or the arguments supplied to a program. *IF* we knew about such problems, it'd be trivial to make a temporary fix, even for a "below-average" system administrator. Having even a shoddy patch is better than hoping that your site is only attacked by below-average crackers. Security by obscurity is a poor decision to make if you've got other choices, and most of the time you do. --- Mike Kienenberger Arctic Region Supercomputing Center Systems Analyst (907) 474-6842 mkienenb () arsc edu http://www.arsc.edu
Current thread:
- Re: CERT, CIAC, etc. unethical practices Apropos of Nothing (Dec 22)
- Re: CERT, CIAC, etc. unethical practices Steve \ (Dec 22)
- Re: CERT, CIAC, etc. unethical practices Theo de Raadt (Dec 22)
- <Possible follow-ups>
- Re: CERT, CIAC, etc. unethical practices d (Dec 22)
- Re: CERT, CIAC, etc. unethical practices Mike Kienenberger (Dec 22)