www/info

Neil Stevens neil at qualityassistant.com
Wed Oct 9 08:34:56 BST 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday October 09, 2002 12:53, Martijn Klingens wrote:
> On Tue, 8 Oct 2002, Neil Stevens wrote:
> > Then users should be warned that some KDE developers will knowingly
> > and willfully withhold information.
>
> Tell me: what goal do you expect to serve with disclosing
> security-sensitive information before the patch is ready? Serve the
> script kiddies? Help the hackers by telling them where to look? Force
> KDE to rush out a patch that is not yet tested well enough because the
> word is out already? More sensation?

What I want is to let users take appropriate steps to protect themselves 
*immediately*.

You're making a false assumption that the release or not release of 
information to users affects how vulnerable users are.  The bug is there, 
and *someone* knows it's there.  The only question here is whether we tell 
the users, whom we ask to trust us, that the bug is there.  The fact is, 
you don't know if anyone else independently found the problem, and is 
using the problem to hurt someone.  You don't even know if a developer 
planted the bug deliberately.

"Security" includes more than protection from massively spread worms after 
all.  People can make targeted attacks against their enemies, which for 
the victims is likely a far bigger problem than some random worm 
spreading.  And until users are warned about the problem, so that they can 
shut down the software involved or otherwise protect themselves, they can 
still be attacked.

Consider the two releases yesterday:  KGhostview and KPM.  In these cases, 
users could easily take steps to protect themselves by not opening 
untrusted documents in the former case, and by turning off the bad option 
in the latter case.

Oh, and in the case of KGhostview, a sample document that runs code was 
already distributed to the world.  So being silent on *that* one just kept 
the good guys in the dark.  I guarantee you that the "black hats" are far 
more likely to monitor the security lists than the average user is.

- -- 
Neil Stevens - neil at qualityassistant.com
"The nearest I can make it out, 'Love your Enemies' means, 'Hate your
Friends'." - Benjamin Franklin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9o9wgf7mnligQOmERApl7AJ9yHlSqh7lSj7iqkriTZ2Xyo0lw7QCeKxvT
dMDTpVhTzMCdOWuSWqemqBE=
=9Qu/
-----END PGP SIGNATURE-----





More information about the kde-core-devel mailing list