[wplug] OpenSSL security vulnerability
Tom Rhodes
trhodes at FreeBSD.org
Fri May 16 18:17:56 EDT 2008
On Fri, 16 May 2008 09:18:41 -0400
Christopher DeMarco <demarco at maya.com> wrote:
> On Fri, May 16, 2008 at 01:30:08AM -0400, Zach wrote:
>
> > Well that was rather dumb. What is the name of the genius who made
> > this code change and why did it take TWO YEARS to discover this
> > flaw?
>
> Rather than nailing people to trees, let's all PayPal the person who
> *un*covered it. And the Ubuntu folks who responded with a fast
> ssh-vulnkey et.al. need some e-beer as well.
Not completely how it works - speaking as a former member of the
FreeBSD Security team AND past member of the Samba security team.[1]
Sometimes the flaw is uncovered by a project developer or member,
that's great. The right people can be notified, reproduce the
flaw, design and test a patch, plan for the annoucement, and handle
issues accordingly. Unfortunately, there are cases of common users
finding out and accidentally mailing the information to a list.
This can cause insta-panic for the project. But it does get the
wheels moving rather quickly.
In some other cases, you get some lonely college kid who wants
to make a name for themselves threaten to expose the issue on
a security related mailing list or vastly popular web site.
Normally those cases mean someone wants to feel important for
a few hours out of the day, and it gives them power to feel they
have the "project at their mercy" for a few moments. A lot of
times they aren't that malicious - I only remember once or
twice about this happening. And at least once it was more of
an issue of local verses remote exploit.
Some people are pretty strange ...
[1]: Actually, not really a member, more of a non-member on their
private security vulnerability mailing list for the interest of
FreeBSD and another company - had the opportunity to make comments
on patches and situations, etc. Jerry is a nice guy. :P
--
Tom Rhodes
More information about the wplug
mailing list