Re: Who Are These Jerks, Anyway?

[Johnathan Meehan <jmeehan () EASYNET CO UK>]

Hi White,

> I agree with you somewhat, John.  However, I am still torn
> between both sides, as are many people.  You have many valid points, as
> do some other people.  (Regardless of the lack of tact.)

Me? Lack of tact? I'm quite the diplomat! ;-) No, you're right - I've mailed
people privately about that not having realised until after the event just
how I put things. Personally, I enjoy thinking of my style of English as
*ahem*... "solid". I'll tone it down for you, White. My public apologies to
anybody disgruntled by my style. It wasn't meant as read.

> This system admnistrator is possibly capable, and lacking
> time, or simply incapable of creating his own tool.  Software versions
> aside, et cetera, as there are always variables added to possibly
> conflict the version/data provided by the initial advisory.  Sure, lists
> like Bugtraq are out there for people like that, and quite frequently
> people post their specific encounters with the 'bugs' on the list.  In
> the end, the  definitive way to check if your system is vulnerable,
> without a doubt, is to use one of the tools provided (or not provided).

I think we all mumble to ourselves about where exactly we should be headed,
and of course we all have our own ideas. Hence a discussion group, I
suppose. Few people would disagree that publishing tools for any fool to
potentially cause damage is not the best way. However, the argument for this
always seems to revolve around, "Well, if we don't tell people, they won't
know. We need to get these exploits out. It is better everybody knows than
only one or two people in the world. Then something will be done" type
arguments. I'm condensing, from interviews with a people today, but consider
it a moment. The problem stems not only from the tools provided, but the
ridiculous detail provided by some sites in how to utilise them and/or other
exploits, as mentioned by Mixter. Why are they so quickly reported to the
public at large? Before that, only a few people knew. The risk of damage to
you was low. Now the odds have swung the other way.

I can see where they are coming from, but ask yourself the question: Which
is better? One million people who know how to crash your swanky new UNIX
box, or one? More to the point, is it better that the box can be brought
down with one mouse click, or by somebody who really does understand what
they are doing. Who is more likely to cause the damage? The argument that
the more people are aware, the safer it is for all of us is nonsensical.
This is proved to an even greater extent when considering sysadmin, and
boxes lying around /still/ with security holes that have been widely
reported and abused. This would seem to point us toward "security through
obscurity", but then necessarily not.

You mentioned "commercial revolution", and I feel you have hit upon a very
fine point. As security issues become increasingly more pervasive in the
lives of even the casual web user, then perhaps we should to a large extent
place the burden upon that commerce. The security loopholes found should be
directed toward to the vendor of the software - the user is then at liberty
to pick from whom offers him the best all round product, including the
concept of security. Some organisations are as much to blame as the people
who will happily tell you exactly what to do. They need to reorganise - take
the way the *BSD or Linux systems act in this regard. Bloody fast. Do not
loose sight of the fact, though, that only the group handling the affected
O/S are the people who need to know. Remember, if they do not take heed
providing a simple and quick way to cure your ills, and word does slip out
you begin to see some very convincing reasons for considering another O/S.

So there you go. Back to square one. The problem still seems to me to centre
around this idea of full disclosure, as soon as possible, as simply as
possible. This may gratify the ego of a webmaster, but plays havoc with my
working hours. In no way do I totally advocate "security through obscurity",
but then again things are not the same now as they were ten years ago. As
you say, "Things are changing. The world is changing. The internet is
changing." There is just a terrible feeling for me that we are jumping, and
not looking where the hell we are going to land. I can still see no reason
to move myself away from the view that security is a serious business, and I
do not appreciate somebody opening the doors at work whilst I am trying to
enjoy a beer with some friends.

> my words may be wasted

A considered viewpoint is never wasted, White, even if the people you are
speaking with do not agree. Others listening may well.

> I also do not completely agree with your previous statements.  I
> would not condemn 2600 Magazine.

I didn't quite condemn 2600. I said that I didn't like it, and gave my
reasons why - I simply do not agree with all their actions, and saw some
hypocrisy in their comments. I'm sure they are nice people.

Regards,

Johnathan Meehan

"Mr. Momomoto, famous Japanese who can swallow his nose, has been exposed.
It was recently revealed that it was Mr. Momomoto's brother who has been
doing all this nose swallowing."
PRINCIPIA DISCORDIA

ISN is sponsored by Security-Focus.COM