Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 25 Jul 2015 23:01:28 +0200
From: Leif Nixon <>
Subject: Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser

Brad Knowles <> writes:

> There will always be people who get their panties in a major twist
> because they feel that too much information was released too soon, and
> there will always be people who get their panties in a major twist
> because not enough information was released soon enough.

Frankly, over the years I have seen pretty few people on the side of the
angels complain that "But *why* didn't you include a weaponized exploit
with your advisory? I feel so cheated!".

> In this day and age, we have the CRD process. Official representatives
> from both Qualys and Red Hat have spoken about their perspective on
> the matter, and they seem to largely be in agreement.

Have we seen anybody from Qualys offer comment? I may have missed that.

> However, this list is not the proper place to have that flamewar.

Really? Why? This list is about concepts and practices in open source
software security, among other things. Discussing how to do ethically
defensible disclosure seems to fit that bill.

> If you really feel that strongly about it, I suggest that you find the
> proper place to have a discussion about what CRD really means and how
> that should be executed. If you can actually help that process to
> become better, I’m sure that most of the involved parties will welcome
> your participation.

Actually, I have something lined up:

Anyway, the reason that this *really* makes me angry is that I have
spent a long time on the defensive side, trying to keep the kids from
messing too much with kind-of-important scientific systems.

In these situations, where an exploit for a new local root vulnerability
turned up without prior warning, we typically started seeing root-level
incidents within 24 hours. Have you ever tried to get big organizations,
made up of a zillion independent entities, to apply security patches
within a timescale of hours?

The last time I dealt with one of those incidents, some kid thought it
was fun to use this shiny new exploit to wreck a compute cluster used
for designing new cancer drugs. Yeah, really.

What many people don't seem to realize is how much the availability of
ready-to-run exploits increases the risk to innocent bystanders.

Show your cleverness all you like; I'll applaud you. Qualys does a lot
of good stuff, they deserve to get a little marketing out of their work.
But hold off on the fscking exploits until the user base has had a
sporting chance to patch, yes?

Leif Nixon
"supercomputer specialists are charming, polite [and] witty" -- Wired Magazine

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.