Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
«3 »
  • Locked thread
OneEightHundred
Feb 28, 2008

Soon, we will be unstoppable!


evol262 posted:

Responsible disclosure is the context.
I specifically said that it was advocating secrecy and that "responsible" was a paraphrase, but it's hearsay anyway, so it's probably not worth arguing. The Viega article expresses most of the sentiments anyway, and the factual issue is the same regardless of who's saying it: Public disclosure as currently practiced causes massive collateral damage.

quote:

Whether or not one person considers covert patching OK has no impact on whether it's ethical.
And what makes it unethical? You've written off the "greater good" and effectiveness as having anything to do with it, so what's left?

quote:

misrepresentation (ala covert patching)
Replacing a component without explaining every decision that led to the replacement in intricate detail is not making a false statement.

Adbot
ADBOT LOVES YOU

evol262
Nov 30, 2010
#!/usr/bin/perl

OneEightHundred posted:

I specifically said that it was advocating secrecy and that "responsible" was a paraphrase, but it's hearsay anyway, so it's probably not worth arguing. The Viega article expresses most of the sentiments anyway, and the factual issue is the same regardless of who's saying it: Public disclosure as currently practiced causes massive collateral damage.
You missed my point. Responsible disclosure is not the same thing as open disclosure, where it's immediately publicized while everyone is vulnerable, and it's not a paraphrase. It is a disclosure strategy.

It is impossible to identify all users of software in order to notify them individually, so you're now begging the question of whether it's more more or less harmful to keep it secret.

I'm not sure why you think linking to random articles is somehow going to do anything. This isn't some kind of internet argument that you can "win". You're just obstinately refusing to accept that any viewpoint other than your own is reasonable, including the common consensus of the legal teams of F500 companies.

quote:

The vulnerability finder contacts the vendor through standard means (generally, by mailing security@domainname), and works with the vendor to validate the bug, and set a schedule for future fixing, and regular communication between the parties.
The vulnerability finder does not disclose while the vendor is behaving reasonably and acting in good faith. The finder should expect that patching can take a few months (especially when a problem requires rearchitecting to fix), and that getting a release out might even take a year or so (mostly dependent on a release schedule).
If, at any point, the vendor is not acting in good faith to protect customers as quickly as reasonable, the finder should give 30 days notice for the vendor to correct behavior. If it doesn't correct, then the finder is free to disclose publicly.
If a problem is being exploited in the wild, the vendor must acknowledge the problem and provide its schedule to the public within two business days from the point they were notified.
For two years, disclosure is controlled by the software vendor, if it happens at all. After two years, the finder may disclose, but must give the vendor 30 days notice of the exact date and time. Generally, the vendor should produce documentation that acknowledges the finders role, whenever there is disclosure.

So this basically is responsible disclosure anyway, except there's no idiotic 30/60/90 day waiting period. The enormous problem with this is the fungible time scale (a few months? up to a year), relying on "good faith" efforts from vendors, vuln hunters helping set timetables for software vendors, and the assumption that this actually protects anyone. Whether you believe it or not, these strategies have been tried in the past. That's how they got to public disclosure. And public disclosure is how we got to responsible disclosure.

The entire article is a storm of fallacies, unqualified statements, and wishful thinking.

"Let's get Microsoft to change their update and patching strategy!" (surely it isn't this way because clients asked for it so they could apply security fixes in controlled environments without applying omnibus patches which may change underlying system behavior -- even though that's true)

"People don't look at omnibus updates for security problems, right now. Therefore, putting all security updates into omnibuses only will ensure that nobody ever reverses them!" (if there aren't separate updates for security patches, pen testers, black hats, and others are assuredly going to reverse omnibuses to find them)

OneEightHundred posted:

And what makes it unethical? You've written off the "greater good" and effectiveness as having anything to do with it, so what's left?
I'll leave it to you to research the differences between deontology, virtue ethics, and utilitarianism. Professional ethics follow deontology in western countries (I don't know about eastern -- maybe legalism? Maybe also deontology given western influence? It's kind of irrelevant to this discussion anyway).

The "greater good" and effectiveness are utilitarian or relativistic arguments which have no play in professional behavior.

OneEightHundred posted:

Replacing a component without explaining every decision that led to the replacement in intricate detail is not making a false statement.
You don't seem to know what misrepresentation means either. Go look up the common law definition. It doesn't need to be a fraudulent statement to be misrepresentative or negligent.

CuddleChunks
Sep 18, 2004



Kazinsal posted:

Unless it's a default spin of busybox which Technogeek above pointed out uses ash.

Thank goodness, our admin did some testing and it's just like you said. The ash shell is in use on our gear, not bash. Phew! There's a few things we are still checking and of course not everything is ready for a patch yet. What a horrible mess.

Scaramouche
Mar 26, 2001

SPACE FACE! SPACE FACE!

Apple has posted some fixes. No word yet on if they're complete:
Mavericks http://support.apple.com/kb/DL1769
Mountain Lion http://support.apple.com/kb/DL1768
Lion http://support.apple.com/kb/DL1767

Scaramouche
Mar 26, 2001

SPACE FACE! SPACE FACE!

Sorry for the DP but whoops, looks like people are targetting NAS's as well:
http://www.fireeye.com/blog/technic...nistrators.html

  • Locked thread
«3 »