www/info
Neil Stevens
neil at qualityassistant.com
Wed Oct 9 08:34:56 BST 2002
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wednesday October 09, 2002 12:53, Martijn Klingens wrote:
> On Tue, 8 Oct 2002, Neil Stevens wrote:
> > Then users should be warned that some KDE developers will knowingly
> > and willfully withhold information.
>
> Tell me: what goal do you expect to serve with disclosing
> security-sensitive information before the patch is ready? Serve the
> script kiddies? Help the hackers by telling them where to look? Force
> KDE to rush out a patch that is not yet tested well enough because the
> word is out already? More sensation?
What I want is to let users take appropriate steps to protect themselves
*immediately*.
You're making a false assumption that the release or not release of
information to users affects how vulnerable users are. The bug is there,
and *someone* knows it's there. The only question here is whether we tell
the users, whom we ask to trust us, that the bug is there. The fact is,
you don't know if anyone else independently found the problem, and is
using the problem to hurt someone. You don't even know if a developer
planted the bug deliberately.
"Security" includes more than protection from massively spread worms after
all. People can make targeted attacks against their enemies, which for
the victims is likely a far bigger problem than some random worm
spreading. And until users are warned about the problem, so that they can
shut down the software involved or otherwise protect themselves, they can
still be attacked.
Consider the two releases yesterday: KGhostview and KPM. In these cases,
users could easily take steps to protect themselves by not opening
untrusted documents in the former case, and by turning off the bad option
in the latter case.
Oh, and in the case of KGhostview, a sample document that runs code was
already distributed to the world. So being silent on *that* one just kept
the good guys in the dark. I guarantee you that the "black hats" are far
more likely to monitor the security lists than the average user is.
- --
Neil Stevens - neil at qualityassistant.com
"The nearest I can make it out, 'Love your Enemies' means, 'Hate your
Friends'." - Benjamin Franklin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE9o9wgf7mnligQOmERApl7AJ9yHlSqh7lSj7iqkriTZ2Xyo0lw7QCeKxvT
dMDTpVhTzMCdOWuSWqemqBE=
=9Qu/
-----END PGP SIGNATURE-----
More information about the kde-core-devel
mailing list