Re: End of all Open Source.

• Previous message: Bradley Bungmunch: "Re: End of all Open Source."
• In reply to: Bradley Bungmunch: "Re: End of all Open Source."
• Next in thread: Bradley Bungmunch: "Re: End of all Open Source."
• Reply: Bradley Bungmunch: "Re: End of all Open Source."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Barry Margolin <barry.margolin@level3.com>
Date: Fri, 07 Mar 2003 01:21:53 GMT

In article <isjf6v0krtkvp9cs9up7j5s5camcqqop9e@4ax.com>,
Bradley Bungmunch <Bradley@Bungmunch.com> wrote:
>On Wed, 05 Mar 2003 23:47:12 GMT, Barry Margolin
><barry.margolin@level3.com> wrote:
>
>>In article <e3nc6vctfkutoajk6so9ig4g802vj3u01d@4ax.com>,
>>Bradley Bungmunch <Bradley@Bungmunch.com> wrote:
>>>If this bug had been announced straight away, it would also have been
>>>fixed almost immediately. Instead they kept it quiet and it took three
>>>months for a fix to be issued.
>>
>>Yet, as far as we know, it was never exploited during that time.
>>
>And on what bit of research do you base this? Illuminate me please.

The CERT advisory said so.

>>>In the meantime, the systems remained vulnerable and the people who
>>>never bother to patch their systems will still have unpatched systems
>>>in the weeks to come.
>>
>>People like that are irrelevant -- if they don't bother to patch their
>>systems, it doesn't matter when the vulnerability and fixes are announced.
>>
>So what was the point in the delay?

To give implementors time to fix it before the vulnerability was made well
known. That's CERT's standard practice.

>>If the vulnerability had been announced immediately, what could end users
>>have done with the knowledge? Should they shut down their mail servers
>>until the patches are made available? Or frantically convert to some other
>>mailer like postfix?
>>
>Why did the fix take so long to produce? What was so different? Like
>I said - in a previous paragraph - people who don't patch their
>systems aren't going to bother patching just because their has been a
>three month delay.

I don't know what point you're trying to make about the people who don't
patch their systems. Like I said, they're irrelevant.

>But the failure to provide a timeous solution seems to have been
>*caused* by the very fact that the bug was kept secret.

On what research do you base that statement? How can you know what would
have happened in other circumstances? You can only speculate.

-- 
Barry Margolin, barry.margolin@level3.com
Genuity Managed Services, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

• Previous message: Bradley Bungmunch: "Re: End of all Open Source."
• In reply to: Bradley Bungmunch: "Re: End of all Open Source."
• Next in thread: Bradley Bungmunch: "Re: End of all Open Source."
• Reply: Bradley Bungmunch: "Re: End of all Open Source."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]