|
evol262 posted:Responsible disclosure is the context. quote:Whether or not one person considers covert patching OK has no impact on whether it's ethical. quote:misrepresentation (ala covert patching)
|
# ? Sep 28, 2014 07:29 |
|
|
# ? May 11, 2024 09:55 |
|
OneEightHundred posted:I specifically said that it was advocating secrecy and that "responsible" was a paraphrase, but it's hearsay anyway, so it's probably not worth arguing. The Viega article expresses most of the sentiments anyway, and the factual issue is the same regardless of who's saying it: Public disclosure as currently practiced causes massive collateral damage. It is impossible to identify all users of software in order to notify them individually, so you're now begging the question of whether it's more more or less harmful to keep it secret. I'm not sure why you think linking to random articles is somehow going to do anything. This isn't some kind of internet argument that you can "win". You're just obstinately refusing to accept that any viewpoint other than your own is reasonable, including the common consensus of the legal teams of F500 companies. quote:The vulnerability finder contacts the vendor through standard means (generally, by mailing security@domainname), and works with the vendor to validate the bug, and set a schedule for future fixing, and regular communication between the parties. So this basically is responsible disclosure anyway, except there's no idiotic 30/60/90 day waiting period. The enormous problem with this is the fungible time scale (a few months? up to a year), relying on "good faith" efforts from vendors, vuln hunters helping set timetables for software vendors, and the assumption that this actually protects anyone. Whether you believe it or not, these strategies have been tried in the past. That's how they got to public disclosure. And public disclosure is how we got to responsible disclosure. The entire article is a storm of fallacies, unqualified statements, and wishful thinking. "Let's get Microsoft to change their update and patching strategy!" (surely it isn't this way because clients asked for it so they could apply security fixes in controlled environments without applying omnibus patches which may change underlying system behavior -- even though that's true) "People don't look at omnibus updates for security problems, right now. Therefore, putting all security updates into omnibuses only will ensure that nobody ever reverses them!" (if there aren't separate updates for security patches, pen testers, black hats, and others are assuredly going to reverse omnibuses to find them) OneEightHundred posted:And what makes it unethical? You've written off the "greater good" and effectiveness as having anything to do with it, so what's left? The "greater good" and effectiveness are utilitarian or relativistic arguments which have no play in professional behavior. OneEightHundred posted:Replacing a component without explaining every decision that led to the replacement in intricate detail is not making a false statement.
|
# ? Sep 28, 2014 15:53 |
|
Kazinsal posted:Unless it's a default spin of busybox which Technogeek above pointed out uses ash. Thank goodness, our admin did some testing and it's just like you said. The ash shell is in use on our gear, not bash. Phew! There's a few things we are still checking and of course not everything is ready for a patch yet. What a horrible mess.
|
# ? Sep 29, 2014 22:43 |
|
Apple has posted some fixes. No word yet on if they're complete: Mavericks http://support.apple.com/kb/DL1769 Mountain Lion http://support.apple.com/kb/DL1768 Lion http://support.apple.com/kb/DL1767
|
# ? Sep 30, 2014 18:32 |
|
Sorry for the DP but whoops, looks like people are targetting NAS's as well: http://www.fireeye.com/blog/technical/2014/10/the-shellshock-aftershock-for-nas-administrators.html
|
# ? Oct 1, 2014 22:22 |