Re: thoughts on kernel security issues

From: Jesper Juhl
Date: Thu Jan 13 2005 - 18:38:23 EST

Next message: Dave: "[PATCH 1/5] Convert resource to u64 from unsigned long"
Previous message: Chris Wright: "Re: thoughts on kernel security issues"
In reply to: Marek Habersack: "Re: thoughts on kernel security issues"
Next in thread: Alan Cox: "Re: thoughts on kernel security issues"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 13 Jan 2005, Dave Jones wrote:

> On Thu, Jan 13, 2005 at 10:48:14PM +0100, Marek Habersack wrote:
>
> > > If admins don't install updates in a timely manner, there's
> > > not a lot we can do about it. For those that _do_ however,
> > > we can make their lives a lot more stress free.
> > Indeed, but what does have it to do with a closed disclosure list?
>
> For the N'th time, it gives vendors a chance to have packages
> ready at the time of disclosure.
>
> > With open
> > disclosure list you provide a set of fixes right away, the admins take them
> > and apply. With closed list you do the same, but with a delay (which gives
> > an opportunity for a "race condition" with the bad guys, one could argue).
> > So, what's the advantage of the delayed disclosure?
>
> Not having to panic and rush out releases on day of disclosure.
> Not having users vulnerable whilst packages build/get QA/get pushed to mirrors.
>
The users are still vulnerable during the time you are preparing your
kernel packages.
Personally I'd very much prefer to know of the bug even before a fix is
ready since that would allow me to protect my systems in alternative ways
until the fixes are ready. Depending on the nature of the bug I
could perhaps tweak firewall rulesets temporarily, temporarily disable
certain services, perhaps I could mount a few filesystems read-only for a
few days, maybe rebuild my current vulnerable kernel with an option
disabled as a workaround and live with less functionality until the fix is
ready, maybe even take vulnerable systems offline until a fix is ready.
Having the info that the bug exists and can be targeted in this or
that way gives me a chance to respond and protect my systems while a
proper fix is being developed. I can't do that if I'm in the dark until
vendors feel comfortable and ready to release packaged bug free kernels -
and all the time I'm waiting some black hat idiot may have found the same
bug and cracked my system.

--
Jesper Juhl

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Dave: "[PATCH 1/5] Convert resource to u64 from unsigned long"
Previous message: Chris Wright: "Re: thoughts on kernel security issues"
In reply to: Marek Habersack: "Re: thoughts on kernel security issues"
Next in thread: Alan Cox: "Re: thoughts on kernel security issues"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]