Information Security News mailing list archives
Re: Who Are These Jerks, Anyway?
From: Johnathan Meehan <jmeehan () EASYNET CO UK>
Date: Mon, 14 Feb 2000 19:23:37 +0100
Hi White,
I agree with you somewhat, John. However, I am still torn between both sides, as are many people. You have many valid points, as do some other people. (Regardless of the lack of tact.)
Me? Lack of tact? I'm quite the diplomat! ;-) No, you're right - I've mailed people privately about that not having realised until after the event just how I put things. Personally, I enjoy thinking of my style of English as *ahem*... "solid". I'll tone it down for you, White. My public apologies to anybody disgruntled by my style. It wasn't meant as read.
This system admnistrator is possibly capable, and lacking time, or simply incapable of creating his own tool. Software versions aside, et cetera, as there are always variables added to possibly conflict the version/data provided by the initial advisory. Sure, lists like Bugtraq are out there for people like that, and quite frequently people post their specific encounters with the 'bugs' on the list. In the end, the definitive way to check if your system is vulnerable, without a doubt, is to use one of the tools provided (or not provided).
I think we all mumble to ourselves about where exactly we should be headed, and of course we all have our own ideas. Hence a discussion group, I suppose. Few people would disagree that publishing tools for any fool to potentially cause damage is not the best way. However, the argument for this always seems to revolve around, "Well, if we don't tell people, they won't know. We need to get these exploits out. It is better everybody knows than only one or two people in the world. Then something will be done" type arguments. I'm condensing, from interviews with a people today, but consider it a moment. The problem stems not only from the tools provided, but the ridiculous detail provided by some sites in how to utilise them and/or other exploits, as mentioned by Mixter. Why are they so quickly reported to the public at large? Before that, only a few people knew. The risk of damage to you was low. Now the odds have swung the other way. I can see where they are coming from, but ask yourself the question: Which is better? One million people who know how to crash your swanky new UNIX box, or one? More to the point, is it better that the box can be brought down with one mouse click, or by somebody who really does understand what they are doing. Who is more likely to cause the damage? The argument that the more people are aware, the safer it is for all of us is nonsensical. This is proved to an even greater extent when considering sysadmin, and boxes lying around /still/ with security holes that have been widely reported and abused. This would seem to point us toward "security through obscurity", but then necessarily not. You mentioned "commercial revolution", and I feel you have hit upon a very fine point. As security issues become increasingly more pervasive in the lives of even the casual web user, then perhaps we should to a large extent place the burden upon that commerce. The security loopholes found should be directed toward to the vendor of the software - the user is then at liberty to pick from whom offers him the best all round product, including the concept of security. Some organisations are as much to blame as the people who will happily tell you exactly what to do. They need to reorganise - take the way the *BSD or Linux systems act in this regard. Bloody fast. Do not loose sight of the fact, though, that only the group handling the affected O/S are the people who need to know. Remember, if they do not take heed providing a simple and quick way to cure your ills, and word does slip out you begin to see some very convincing reasons for considering another O/S. So there you go. Back to square one. The problem still seems to me to centre around this idea of full disclosure, as soon as possible, as simply as possible. This may gratify the ego of a webmaster, but plays havoc with my working hours. In no way do I totally advocate "security through obscurity", but then again things are not the same now as they were ten years ago. As you say, "Things are changing. The world is changing. The internet is changing." There is just a terrible feeling for me that we are jumping, and not looking where the hell we are going to land. I can still see no reason to move myself away from the view that security is a serious business, and I do not appreciate somebody opening the doors at work whilst I am trying to enjoy a beer with some friends.
my words may be wasted
A considered viewpoint is never wasted, White, even if the people you are speaking with do not agree. Others listening may well.
I also do not completely agree with your previous statements. I would not condemn 2600 Magazine.
I didn't quite condemn 2600. I said that I didn't like it, and gave my reasons why - I simply do not agree with all their actions, and saw some hypocrisy in their comments. I'm sure they are nice people. Regards, Johnathan Meehan "Mr. Momomoto, famous Japanese who can swallow his nose, has been exposed. It was recently revealed that it was Mr. Momomoto's brother who has been doing all this nose swallowing." PRINCIPIA DISCORDIA ISN is sponsored by Security-Focus.COM
Current thread:
- Who Are These Jerks, Anyway? William Knowles (Feb 11)
- Re: Who Are These Jerks, Anyway? Johnathan Meehan (Feb 11)
- Message not available
- Re: Who Are These Jerks, Anyway? Johnathan Meehan (Feb 14)
- Message not available
- Re: Who Are These Jerks, Anyway? Mixter (Feb 14)
- Re: Who Are These Jerks, Anyway? Johnathan Meehan (Feb 14)
- Re: Who Are These Jerks, Anyway? Reverend Jain T. Resin (Feb 16)
- Re: Who Are These Jerks, Anyway? whitvamp (Feb 16)
- Re: Who Are These Jerks, Anyway? Johnathan Meehan (Feb 16)
- Re: Who Are These Jerks, Anyway? Johnathan Meehan (Feb 11)