lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 29 Oct 2003 13:03:49 -0500
From: Adam Shostack <adam@...eport.org>
To: Steve Clement <steve@....lu>
Cc: Thor Larholm <thor@...x.com>, bugtraq@...urityfocus.com
Subject: Re: Mac OS X vulnerabilities ['Virus checked"]


On Wed, Oct 29, 2003 at 06:18:40PM +0100, Steve Clement wrote:
| -----BEGIN PGP SIGNED MESSAGE-----
| Hash: SHA1
| 
| All this issue depends on how suspicious you are really.
| 
| One could say that @stake waited till Panther 10.3 came out to release
| the Security alert and therefore push the sales of the new system. Or
| you could argue that it was an unlucky coincidence that with the new
| release there were quite a few security bugs apearing.

@Stake is being pretty up front that they are moving far away from
full-disclosure.  Weld has been up-front and vocal about this shift
and the reasons for it.

It seems fairly clear that DaveG reported these issues to Apple (along
with many others over the past while), and for this subset of the
DaveG issues, Apple said "these are complex to fix, we'll get to them in
the next major release."

Which is roughly where we were 10 years ago in some ways: Vendors got
bug reports, and as much time as they wanted to fix the issues.  If
there's independent rediscovery of issues (and I think for some of
these, that's likely), then customers are SOL as the issues are
exploited.  On the plus side, 10 years ago, vendors might have said
"fixed security issues," without enumeration or acknowledgment.  So
that's improved.

I think that announcing a set of security issues, and saying "the fix
is to upgrade your entire OS" is not a great disclosure strategy.  If
that's @Stake's new plan, I would give the new OS 30-90 days before
making the announcements.  But I believe that the general risk of
independent discovery of issues is substantial enough that this sort
of long delay from discovery to fix is a poor practice, and one that
we as an industry had been moving away from.

Adam

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ