Re: End of all Open Source.

From: Bradley Bungmunch (Bradley@Bungmunch.com)
Date: 03/06/03


From: Bradley Bungmunch <Bradley@Bungmunch.com>
Date: Thu, 06 Mar 2003 22:54:07 +0000

On Wed, 05 Mar 2003 23:47:12 GMT, Barry Margolin
<barry.margolin@level3.com> wrote:

>In article <e3nc6vctfkutoajk6so9ig4g802vj3u01d@4ax.com>,
>Bradley Bungmunch <Bradley@Bungmunch.com> wrote:
>>If this bug had been announced straight away, it would also have been
>>fixed almost immediately. Instead they kept it quiet and it took three
>>months for a fix to be issued.
>
>Yet, as far as we know, it was never exploited during that time.
>
And on what bit of research do you base this? Illuminate me please.

>So the system seemed to work.
>
You go jump off a high building. I bet you, right until before you go
splat, everything will still seem OK.

>>In the meantime, the systems remained vulnerable and the people who
>>never bother to patch their systems will still have unpatched systems
>>in the weeks to come.
>
>People like that are irrelevant -- if they don't bother to patch their
>systems, it doesn't matter when the vulnerability and fixes are announced.
>
So what was the point in the delay?

>If the vulnerability had been announced immediately, what could end users
>have done with the knowledge? Should they shut down their mail servers
>until the patches are made available? Or frantically convert to some other
>mailer like postfix?
>
Why did the fix take so long to produce? What was so different? Like
I said - in a previous paragraph - people who don't patch their
systems aren't going to bother patching just because their has been a
three month delay.

>Telling people about a vulnerability without providing practical solutions
>is like the terror alerts that out government keeps announcing. I'm just
>not sure what the analogy is to sealing your house with plastic and duct
>tape. :)
>
But the failure to provide a timeous solution seems to have been
*caused* by the very fact that the bug was kept secret. Has nothing
been learned about the problems of this fallacious method of dealing
with bugs.

"I would rather have a German division in front of me than a French one behind me."

--- General George S. Patton



Relevant Pages

  • Re: End of all Open Source.
    ... >>If this bug had been announced straight away, ... So what was the point in the delay? ... I said - in a previous paragraph - people who don't patch their ... *caused* by the very fact that the bug was kept secret. ...
    (alt.computer.security)
  • Re: End of all Open Source.
    ... >>If this bug had been announced straight away, ... Instead they kept it quiet and it took three ... > is like the terror alerts that out government keeps announcing. ...
    (comp.security.misc)
  • Re: End of all Open Source.
    ... >>If this bug had been announced straight away, ... Instead they kept it quiet and it took three ... > is like the terror alerts that out government keeps announcing. ...
    (alt.computer.security)
  • Weekly Python Patch/Bug Summary
    ... Patch / Bug Summary ... http://python.org/sf/606098 closed by rhettinger ... http://python.org/sf/1088716 closed by loewis ...
    (comp.lang.python)
  • [Full-Disclosure] RE: [kinda-but-not-really-Full-Disclosure-so-we-feel-warm-and-fuzzy] Re: <to va
    ... Because it must be realised that as soon as a patch and or advisory is ... there are global teams of people working to discover and exploit said bug. ... quiet and MS just released patches for 'undisclosed' problems... ... > engineer a ms patch to find the changed code and produce a working ...
    (Full-Disclosure)