Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sendmail Bug Tests US Dept Homeland Security

Posted by CmdrTaco on from the not-to-mention-sysadmins-everywhere dept.

yanestra writes "CNET reports that the reported Sendmail bug has been a test for the US Department of Homeland Security which seems to have managed information flow in this case."

5 of 293 comments (clear)

  1. I work for the government. by joe630 · · Score: 5, Interesting

    We all got notified to patch our systems immediately.

    Everyone is working togther to get all the systems running sendmail patched.

    While this doesn't seem like a big deal in the corporate world, in the government world, all red tape has been removed and we can make changes to critical systems INSTANTLY.

    FIX FIRST, meet later. It's an entirely different attitude, and it allows me to do my job more efficently. It works.

  2. What about international software? by bigberk · · Score: 5, Interesting

    Is the U.S. Department of Homeland Security also going to try and take care of software developed internationally?

    For example, it seems that a lot of OpenSSH development is done in Canada and Germany. And the server is run out of Canada.

    The OpenSSL team looks primarily international too (UK, Germany, Sweden, New Zealand). There server is managed by Brits and Swedes.

    Actually... I think you'll find that a lot of crypto software is based outside the US. Probably due to constraints placed on crypto development in the last decade.

  3. ISS - proven shills by Anonymous Coward · · Score: 5, Interesting

    Once again, ISS have let the community down. Instead of informing the vendors, or CERT, or even just posting to Bugtraq, they informed the USG first. As a result .mil sites had the patch four days before anyone else (so far as we know) were even aware that there was an issue. [Although they claim that they checked their private "sensor" networks, somehow I doubt they have better coverage than eg DShield.org. ) This is unacceptable behaviour for an info-sec company that wants to be a responsible member of the community, and of course is just the latest in a list of behaviour that I at least consider unethical. I work for an ISS reseller outside the USA, and I will be exercising my influence internally to push for replacing the ISS prodcuts either with Free alternatives, or proprietary products from companies with a better grasp of their responsibilities. BTW we have several very big global clients.

  4. Goverment is getting credit! by giberti · · Score: 5, Interesting

    I think it's interesting that the government is getting credit for working with the private sector in releasing information. Part of the the point of open sourced software is so that bugs can be found and patched quickly. The CERT email I got yesterday afternoon had MANY patch sources listed by vendor (RedHat, Apple, Sendmail etc) and was timely. I don't belive that the pat on the back goes to Uncle Sam in this situation, but rather the folks at Sendmail who worked to resolve this issue in a timely and organized fashion. They released the information to those who needed to know (including the DHS) and worked on a solution to get this stuff out to the public.

    To quote Eric Raymond, "Given enough eyeballs, all bugs are shallow"

    Kudos to Sendmail for getting this taken care of.

    --

    AF-Design, web development.
  5. Maintain Obscurity!! by tacocat · · Score: 5, Interesting

    The one thing I didn't like about this article was the idea that this kind of process should be followed by everyone. This is what I saw as the process:

    1. Find a bug
    2. Tell only the owner.
    3. Keep it a secret until the owner comes back with a fix
    4. Now go tell everybody about the bug and the fix at the same time

    Here's the flaw(s) in this process:

    1. There is no interim action. While you wait for me to fix the bug, everyone in the world is vulnerable without the option of shutting down that service or taking additional safeguards against the bug. This could be days to months of insecurity. What makes you think DHS is always going to be the first to discover an exploit?
    2. I don't see how a Government Department is going to succeed where Public Voice has failed.
      • Microsoft has some huge security flaws in their browser that they have admitted will not be fixed in the near future. This is public knowledge. Public Voice has failed
      • Microsoft, as another example, has managed to avoid doing a lot of things it's supposed to by litigation. This can cause great delays in progressing a security notification.
      • Past practices by some companies is to sue the disclosures of bugs with a gag order. How will this be different? The government gets sued (and bought) all the time
    3. How is this process going to be handled when there is no Company supporting the code? I'm uncertain that this will be supportive in the OpenSource Model.

    I guess the biggest thing that I don't like about this is that idea that this model will support the Closed Source software model because of the arguments of:

    • What you can't see won't hurt you.
    • There's a great big company to yell at.
    • We (Govt and Corp) can talk in private. You open sources are all a bunch of security risks
    • If anybody tells of a bug early, they must be a terrorist.