Re: Fwd: Any user can panic OpenBSD machine

[mej () tcserv com (Michael Jennings)]

On Tuesday, 28 July 1998, at 13:14:30 (-0600),
Theo de Raadt <deraadt () cvs openbsd org> wrote:

> Said the pot to the kettle.
>
> Go at it -- if you don't run OpenBSD, you have a couple hundred extra
> /tmp races to deal with.
>
> Does this sound like a change in topic?  I don't think so.  We have
> done tons to improve localhost security (races, protocols, not just
> buffer overflows like most other people fix).  But there will always
> be crashes.  Sorry.  We Do What We Can.  We really don't expect to be
> mauled to death when some little crash gets reported.

Here you and I are in absolute, 100% agreement.  OpenBSD has done huge
amounts of work to improve security, and I doubt if anyone on this list
would deny that.  We also know you're human.  We all are, and we all
make mistakes.  I've only seen one below-the-belt attack on the OpenBSD
folks in this thread, and it was uncalled-for.

We as the security community should be able to publicize exploit information
without making pointless editorial comments about who screwed up and how
badly.  Everyone makes mistakes, and they should be given the opportunity
to fix it.  That doesn't, however, remove the need for announcements to
lists like this one.  My point is simply that the information should be
supplied without excessive editorialization.

> Sorry, but I must continue to disagree about the relevance of this
> entire issue to bugtraq.  Question: What have you learned now that
> this crash report has turned into 20 bugtraq postings, half of them
> posted after a fix for the problem was available?
>
> Shall we have a similar discussion the next time we find a way to crash
> the system?

Perhaps not, but the need for the discussion remains.  Often Aleph One
summarizes all the "this-OS-is-vulnerable" and "this-one-isn't" posts
into one, which is probably a good practice.  (As if he didn't have
enough to do already....) :-)  But I stand by it being an exploit
and having a place on this list.

> Are these crashes really that much more interesting than completely
> new issues like www.openbsd.org/errata.html#fdalloc, which affect
> every single operating system, and yet did not get discussed on
> bugtraq?

Not at all.  All it takes is one post.  Perhaps a post needed to be
made (before you posted the URL anyway...now the info is out there).
But that *still* doesn't change the fact that local-user-compromises
should be taken seriously.

Michael

--
 "The breakup was mutual, but it was more mutual on my part."
                                                        -- Beth O'Hara
=======================================================================
Michael Jennings        http://www.tcserv.com/         <mej () tcserv com>
Senior Systems Engineer, Synectics, Inc.      http://www.synectics.com/