Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S261483AbVAMVGl (ORCPT ); Thu, 13 Jan 2005 16:06:41 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S261684AbVAMVEJ (ORCPT ); Thu, 13 Jan 2005 16:04:09 -0500 Received: from grendel.firewall.com ([66.28.58.176]:53409 "EHLO grendel.firewall.com") by vger.kernel.org with ESMTP id S261697AbVAMVCe (ORCPT ); Thu, 13 Jan 2005 16:02:34 -0500 Date: Thu, 13 Jan 2005 22:02:29 +0100 From: Marek Habersack To: Alan Cox Cc: Chris Wright , Marcelo Tosatti , Linus Torvalds , Greg KH , akpm@osdl.org, Linux Kernel Mailing List Subject: Re: thoughts on kernel security issues Message-ID: <20050113210229.GG24970@beowulf.thanes.org> Reply-To: grendel@caudium.net References: <20050112185133.GA10687@kroah.com> <20050112161227.GF32024@logos.cnet> <20050112174203.GA691@logos.cnet> <1105627541.4624.24.camel@localhost.localdomain> <20050113194246.GC24970@beowulf.thanes.org> <20050113115004.Z24171@build.pdx.osdl.net> <20050113202905.GD24970@beowulf.thanes.org> <1105645267.4644.112.camel@localhost.localdomain> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="KR/qxknboQ7+Tpez" Content-Disposition: inline In-Reply-To: <1105645267.4644.112.camel@localhost.localdomain> Organization: I just... X-GPG-Fingerprint: 0F0B 21EE 7145 AA2A 3BF6 6D29 AB7F 74F4 621F E6EA X-message-flag: Outlook - A program to spread viri, but it can do mail too. User-Agent: Mutt/1.5.6+20040907i Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3463 Lines: 88 --KR/qxknboQ7+Tpez Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jan 13, 2005 at 07:41:10PM +0000, Alan Cox scribbled: [snip] > > suspect that more people run self-compiled kernels on their servers tha= n the > > vendor kernels, I might be wrong on that). If there is a list that's at >=20 > I'd say you are very very wrong from the data I have access too, > probably of the order of 1000:1 wrong or more. I stand corrected then, you have access to much better sources than I do, no doubts. > > > Licensing is irrelevant. Like it or not, the person who is discoveri= ng > > > the bugs has some say in how you deal with the information. It's in = our > > > best interest to work nicely with these folks, not marginalize them. >=20 > > It's not about marginalizing, because by requesting that their report is > > kept secret for a while and known only to a small bunch of people, you = could > > say they are marginalizing us, the majority of people who use the linux > > kernel (us - those who aren't on the vendor-sec list). It's, again IMHO, >=20 > They chose to. A lot of people report bugs directly to Linus too or to > the lists or to full-disclosure depending upon their view. The folks who > report bugs in private either to Linus or to vendor-sec or maintainers > or whoever generally believe that the bad guys can move faster and cause They can still move faster when the vulnerability (and the fixed vendor kernels) are released. The people who are to install the kernels usually cannot act immediately, so if the bad guys have somebody on target, they will root them anyway. I see no difference here to a model of totally open disclosure list. > a lot of damage if a bug isn't fixed before announce. Again, it works for vendors, not for end users, IMO. > Thats based on the observation that > - the bad guys have to move a small exploit versus a large binary delayed release doesn't change that. One still needs to download and deploy the kernels (possibly compiling them if they have to). > - the exploit doesn't have to pass quality assurance, you just write > more again, closed mailing lists don't change that > - they can automate the attack tools very effectively=20 ditto > So the non-disclosure argument is perhaps put as "equality of access at > the point of discovery means everyone gets rooted.". And if you want a > lot more detail on this read papers on the models of security economics > - its a well studied field. Theory is fine, practice is that the closed disclosure list changes matters for a vaste minority of people - those who are to install the fixed kernels are in perfectly the same situation they would be in if there was a fully open disclosure list. all of this is IMHO, of course - cannot stress that more :) best regards, marek --KR/qxknboQ7+Tpez Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFB5uHlq3909GIf5uoRAl8ZAJ9i891IvD3xCUe1X78yMxlHjON9cwCfdzMZ 3l3xM93yyfySg5LdUJcfdHk= =QcCU -----END PGP SIGNATURE----- --KR/qxknboQ7+Tpez-- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/