Oh dear, I am adding to this waste of bandwidth ...
Of course CERT are free to do as they wish but one, more friendly,
alternative would be to *gradually* reveal details of a security hole.
The idea would be that the first alert would be a standard CERT 'there
is a problem in program X, this is a patch for version Y' posting, with
no details. Then gradually over a period of days more and more details
could released.
This would mean that sites exposed to the known case can take action to
close the hole before details become available. The eventual release of
detailed information would enable sites running related software, but
for whom the published patch/workaround does not apply to test for the
problem and correct it. It also enables the wider white-hat community
to understand the problem better and be on the look out for related
security holes.
This would also avoid the race condition described in John Murphy's
post, and still get the information out. Of course the one person this
does *not* protect is the lazy sysadmin who ignores the early warning.
IMHO there is no help for that and a break-in is inevitable at such a
site anyway.
As an added benefit a list could then be made publically available
detailing all the known holes and it would be a great deal easier to
shut them all. Again, this makes life easy for careful admins and hard
for careless ones, and, IMHO crackers.
Harry Protoolis "Sons of the South, make a choice between ...
harry @
london .
sbi .
com The land that belongs to the lord and the Queen
And the land that belongs to you." - Henry Lawson
(with apologies for the sexist language)
|
|
