Re: End of all Open Source.

From: Bradley Bungmunch (Bradley@Bungmunch.com)
Date: 03/06/03

  • Next message: Barry Margolin: "Re: End of all Open Source."
    From: Bradley Bungmunch <Bradley@Bungmunch.com>
    Date: Thu, 06 Mar 2003 22:54:07 +0000
    
    

    On Wed, 05 Mar 2003 23:47:12 GMT, Barry Margolin
    <barry.margolin@level3.com> wrote:

    >In article <e3nc6vctfkutoajk6so9ig4g802vj3u01d@4ax.com>,
    >Bradley Bungmunch <Bradley@Bungmunch.com> wrote:
    >>If this bug had been announced straight away, it would also have been
    >>fixed almost immediately. Instead they kept it quiet and it took three
    >>months for a fix to be issued.
    >
    >Yet, as far as we know, it was never exploited during that time.
    >
    And on what bit of research do you base this? Illuminate me please.

    >So the system seemed to work.
    >
    You go jump off a high building. I bet you, right until before you go
    splat, everything will still seem OK.

    >>In the meantime, the systems remained vulnerable and the people who
    >>never bother to patch their systems will still have unpatched systems
    >>in the weeks to come.
    >
    >People like that are irrelevant -- if they don't bother to patch their
    >systems, it doesn't matter when the vulnerability and fixes are announced.
    >
    So what was the point in the delay?

    >If the vulnerability had been announced immediately, what could end users
    >have done with the knowledge? Should they shut down their mail servers
    >until the patches are made available? Or frantically convert to some other
    >mailer like postfix?
    >
    Why did the fix take so long to produce? What was so different? Like
    I said - in a previous paragraph - people who don't patch their
    systems aren't going to bother patching just because their has been a
    three month delay.

    >Telling people about a vulnerability without providing practical solutions
    >is like the terror alerts that out government keeps announcing. I'm just
    >not sure what the analogy is to sealing your house with plastic and duct
    >tape. :)
    >
    But the failure to provide a timeous solution seems to have been
    *caused* by the very fact that the bug was kept secret. Has nothing
    been learned about the problems of this fallacious method of dealing
    with bugs.

    "I would rather have a German division in front of me than a French one behind me."

    --- General George S. Patton


  • Next message: Barry Margolin: "Re: End of all Open Source."

    Relevant Pages

    • Re: End of all Open Source.
      ... >>If this bug had been announced straight away, ... So what was the point in the delay? ... I said - in a previous paragraph - people who don't patch their ... *caused* by the very fact that the bug was kept secret. ...
      (comp.security.misc)
    • Re: End of all Open Source.
      ... >>If this bug had been announced straight away, ... Instead they kept it quiet and it took three ... > is like the terror alerts that out government keeps announcing. ...
      (alt.computer.security)
    • Re: End of all Open Source.
      ... >>If this bug had been announced straight away, ... Instead they kept it quiet and it took three ... > is like the terror alerts that out government keeps announcing. ...
      (comp.security.misc)
    • Weekly Python Patch/Bug Summary
      ... Patch / Bug Summary ... http://python.org/sf/606098 closed by rhettinger ... http://python.org/sf/1088716 closed by loewis ...
      (comp.lang.python)
    • [Full-Disclosure] RE: [kinda-but-not-really-Full-Disclosure-so-we-feel-warm-and-fuzzy] Re: <to va
      ... Because it must be realised that as soon as a patch and or advisory is ... there are global teams of people working to discover and exploit said bug. ... quiet and MS just released patches for 'undisclosed' problems... ... > engineer a ms patch to find the changed code and produce a working ...
      (Full-Disclosure)