According to ZDNet, this vulnerability was reported to CERT by a research team one year ago. It was only today announced in an advisory. CERT maintained a multiple-month window of time to suppress the advisory.
And yet, looking at the advisory, the most important vendors don't yet have patches . In particular, Microsoft, Cisco, and Sun remain vulnerable, with no released patches!
The entire rationale behind keeping vulnerabilities quiet is to enable vendors to fix the problem before the exploit falls into the hands of attackers. The entire rationale behind CERT's very existance is to act as a clearinghouse for vulnerabilities so that fixes can be coordinated prior to announcements. Virtually every credible security researcher has repeatedly exclaimed that CERT's model doesn't work. I can't imagine a clearer vindication for CERT's critics than this.
Not that I'm trying to validate CERT's model mind you...
They were somewhat forced into releasing today. There was a leaked early version of the advisory (with no details) that had a release date of February 20th. Details were spilling out from various sources. Given how many patches were announced today after the advisory, it's safe to say that those vendors must have been pretty close to being ready.
It also demonstrates that it's not possible to try and give that many vendors that much warning, and not have leaks.
It's psycological. We don't mind if it's a rental, we dont feel like we own it. The actual price tag isn't that important. I don't think they will be able to get "rental" into people's heads. As long as the old disk is around, unwatchable, or they had to throw it away, they're going to feel screwed.
Haven't you ever felt like something is being wasted when you throw away an AOL CD?
So, now we see why they were so keen to eliminate DVD copying software. If only they hadn't made DVD copying a complete and utter technical impossibility.
Yes, I like to have both. (My publisher lets you download an e version of pretty much whichever books you buy on paper. They will also let you to buy the paper copy ahead of time, give you the e copy for immediate gratification while the paper is being printed, and then ship it to you. There are usually a couple of weeks lead-time between when the books is ready electronically, and when it's ready to be shipped. Pretty slick idea, I think.)
Since so many people have done a good job esposing why paper is good, let me point out my favorite parts of the ebooks:
- Searchable (few books have really excellent indexes)
- Updatable
- Can slap a bunch on a PocketPC, and have them for when I'm stuck some place with nothing to read, or want a quick reference.
- Can cut-and-paste (code examples really suck without an ebook. Also great for quoting bits in emails.)
...and I'm trying really hard to not plug my next book, which should be available in electronic format at the publisher site in about 10 days or so. I should be working on it instead of reading Slashdot....
I'm curious why you would like to an article without reviewing it. If this is to be believed, you linked to an article without even reading it. While I expect that sort of looseness with slashdot to some degree, I confess I'd always held Security Focus in a little higher regard, and consiquently expected more selectivity in what articles they choose to headline and link to.
What makes you think that we linked to it? We didn't, they linked to us. We run a little stats page because people were asking us for the numbers all the time. These other people wrote a short blurb and claimed, based on their misunderstanding of the numbers, that SecurityFocus was claiming that Windows was more secure than Linux. We make no such claim, that's their conclusion.
The article in question was not linked to by us, was not in our headlines, was not endorsed by us, wasn't even known to us until the Slashdot story.
Where did we claim it was useful? Why does data have to have an obvious conclusion in order to be useful?
The reason we put it up is because we were constantly getting mail from students and others who wanted to do studies on the number of vulnerabilities in one OS vs. another. So, we made the data available. We really can't help it if people accidentally or intentionally draw some sort of strange conclusion from it. We've added some text that will hopefully make someone think twice about drawing the most obviously-wrong conclusions.
We used to have comments on the page that reflected those concernss. Unfortunately, it seems that they got replaced with the message that indicated the stats weren't being updated at present.
Similar wording has been re-added, and the aggregate number has been pulled (to help keep people from jumping to conclusions.)
Looks like the Linux aggregate has just been pulled from our site, probably since that has been the source of a lot of confusion in the past. But, to answer your question: Yes, the Linux aggregate is done in such a way as to keep the same bug from being counter once per distro.
If I recall from earlier today, the aggregate number was around 90. If you take all of the Linux distros on the page, and just add the numbers, you get 178.
The incompetence of the author writing this story, and of the Security Focus editorial staff for letting it through, is staggering. With this kind of security "expertise" is it any wonder at all that Nimda worms and the like run rampent across the net?
We didn't write the article in question, nor are we hosting, nor did we have any opportunity to see it ahead of time. (Or now... still can't see it.) Sadly, we have very little editorial control over other people's websites.
I can't read the original article, It's been Slashdotted to death. But I think I can make a pretty good guess as to what happened.
First off, we host Bugtraq, not NTBugtraq, which is Russ Cooper's list. (Any chance we can get that fixed in the story intro? Anyone know if the same mistake is in the original article?)
Secondly, I'm constantly amazed at how people mis-read our stats page. The Linux aggregate stats are the total of all unique bugs across all the various distributions we track. It's supposed to answer the question "How many Linux-related bugs were there that year." It's based on things like which distro ships a particular package, and when that package is found to have a hole, it also gets attached to the distro. This is so you can look up your distro, and see what bugs you might need to patch.
Take a look at the top of the page, our script hasn't been running since August, when we switched from Roxen to Apache. So, we're missing the whole last quarter of 2001 stats.
Regardless of anything else, using these number to declare that one thing is more secure than another is a mistake. Based on our numbers, why didn't they declare that everyone should run MacOS for security? Or that if you want to be more secure, run Debian instead of Win2K?
Slashdot Mirror
And don't forget that Syngress typically offers a sample chapter for each book:
p le.htm
http://www.syngress.com/book_catalog/183_Ruby/sam
If you want to see what the book is like.
(Note: I write books for Syngress, though I have no financial interest in this one. Consider this a plug if you like.)
I appreciate the sentiment, but we don't do penetration testing.
I'm not saying it wouldn't be useful, just that it's not quite what the headline says.
I wouldn't mind having a wireless tablet myself, I just haven't seen one at a realistic price. (Though I didn't try to see how much this one cost.)
It's a WinCE tablet running Terminal Server client.
Speaking of which, where can they be had for $100? I see $142 at Amazon (out of stock), and about $150-170 most other places.
Huh?
Yes, it's 200 dot's per inch, but only if you want to look at the equivalent of a 3.2 by 2.4 inch piece of paper. Or the same size screen as an IPAQ.
Problem is, the software will treat it like a VGA screen, it will be trying to do things like put up a full page on the screen.
According to ZDNet, this vulnerability was reported to CERT by a research team one year ago. It was only today announced in an advisory. CERT maintained a multiple-month window of time to suppress the advisory.
And yet, looking at the advisory, the most important vendors don't yet have patches . In particular, Microsoft, Cisco, and Sun remain vulnerable, with no released patches!
The entire rationale behind keeping vulnerabilities quiet is to enable vendors to fix the problem before the exploit falls into the hands of attackers. The entire rationale behind CERT's very existance is to act as a clearinghouse for vulnerabilities so that fixes can be coordinated prior to announcements. Virtually every credible security researcher has repeatedly exclaimed that CERT's model doesn't work. I can't imagine a clearer vindication for CERT's critics than this.
Not that I'm trying to validate CERT's model mind you...
They were somewhat forced into releasing today. There was a leaked early version of the advisory (with no details) that had a release date of February 20th. Details were spilling out from various sources. Given how many patches were announced today after the advisory, it's safe to say that those vendors must have been pretty close to being ready.
It also demonstrates that it's not possible to try and give that many vendors that much warning, and not have leaks.
It's psycological. We don't mind if it's a rental, we dont feel like we own it. The actual price tag isn't that important. I don't think they will be able to get "rental" into people's heads. As long as the old disk is around, unwatchable, or they had to throw it away, they're going to feel screwed.
Haven't you ever felt like something is being wasted when you throw away an AOL CD?
Yes, I noticed that too. I have to wonder if there aren't some market research people out there saying this to each-other:
"Hey, you don't think consumers and retail establishments will associate this with DIVX, do you?"
"I dunno, let's put out a press release, and see what the reaction is..."
No, no they don't.
Especially not these ones... have you heard some of thier reasons why they think DeCSS is bad?
So, now we see why they were so keen to eliminate DVD copying software. If only they hadn't made DVD copying a complete and utter technical impossibility.
I don't believe it, an on-topic goatse.cx post.
I'd buy:
GCC Internals
Linux/Unix Lowlevel Programming
Using GNU Development Tools
From that list.
Yes, I like to have both. (My publisher lets you download an e version of pretty much whichever books you buy on paper. They will also let you to buy the paper copy ahead of time, give you the e copy for immediate gratification while the paper is being printed, and then ship it to you. There are usually a couple of weeks lead-time between when the books is ready electronically, and when it's ready to be shipped. Pretty slick idea, I think.)
Since so many people have done a good job esposing why paper is good, let me point out my favorite parts of the ebooks:
- Searchable (few books have really excellent indexes)
- Updatable
- Can slap a bunch on a PocketPC, and have them for when I'm stuck some place with nothing to read, or want a quick reference.
- Can cut-and-paste (code examples really suck without an ebook. Also great for quoting bits in emails.)
...and I'm trying really hard to not plug my next book, which should be available in electronic format at the publisher site in about 10 days or so. I should be working on it instead of reading Slashdot....
I'm curious why you would like to an article without reviewing it. If this is to be believed, you linked to an article without even reading it. While I expect that sort of looseness with slashdot to some degree, I confess I'd always held Security Focus in a little higher regard, and consiquently expected more selectivity in what articles they choose to headline and link to.
What makes you think that we linked to it? We didn't, they linked to us. We run a little stats page because people were asking us for the numbers all the time. These other people wrote a short blurb and claimed, based on their misunderstanding of the numbers, that SecurityFocus was claiming that Windows was more secure than Linux. We make no such claim, that's their conclusion.
The article in question was not linked to by us, was not in our headlines, was not endorsed by us, wasn't even known to us until the Slashdot story.
Where did we claim it was useful? Why does data have to have an obvious conclusion in order to be useful?
The reason we put it up is because we were constantly getting mail from students and others who wanted to do studies on the number of vulnerabilities in one OS vs. another. So, we made the data available. We really can't help it if people accidentally or intentionally draw some sort of strange conclusion from it. We've added some text that will hopefully make someone think twice about drawing the most obviously-wrong conclusions.
We used to have comments on the page that reflected those concernss. Unfortunately, it seems that they got replaced with the message that indicated the stats weren't being updated at present.
Similar wording has been re-added, and the aggregate number has been pulled (to help keep people from jumping to conclusions.)
Looks like the Linux aggregate has just been pulled from our site, probably since that has been the source of a lot of confusion in the past. But, to answer your question: Yes, the Linux aggregate is done in such a way as to keep the same bug from being counter once per distro.
If I recall from earlier today, the aggregate number was around 90. If you take all of the Linux distros on the page, and just add the numbers, you get 178.
The incompetence of the author writing this story, and of the Security Focus editorial staff for letting it through, is staggering. With this kind of security "expertise" is it any wonder at all that Nimda worms and the like run rampent across the net?
We didn't write the article in question, nor are we hosting, nor did we have any opportunity to see it ahead of time. (Or now... still can't see it.) Sadly, we have very little editorial control over other people's websites.
Sigh...
I can't read the original article, It's been Slashdotted to death. But I think I can make a pretty good guess as to what happened.
First off, we host Bugtraq, not NTBugtraq, which is Russ Cooper's list. (Any chance we can get that fixed in the story intro? Anyone know if the same mistake is in the original article?)
Secondly, I'm constantly amazed at how people mis-read our stats page. The Linux aggregate stats are the total of all unique bugs across all the various distributions we track. It's supposed to answer the question "How many Linux-related bugs were there that year." It's based on things like which distro ships a particular package, and when that package is found to have a hole, it also gets attached to the distro. This is so you can look up your distro, and see what bugs you might need to patch.
Take a look at the top of the page, our script hasn't been running since August, when we switched from Roxen to Apache. So, we're missing the whole last quarter of 2001 stats.
Regardless of anything else, using these number to declare that one thing is more secure than another is a mistake. Based on our numbers, why didn't they declare that everyone should run MacOS for security? Or that if you want to be more secure, run Debian instead of Win2K?
Anything you write is automatically copyrighted. You don't have to register it or anything anymore.
You have to register it if you want to collect damages when you are violated. Otherwise, if you just want to control use of your work, you're correct.
Of course. I hear they're going to make their software "unbreakabale."
That was only for the OS. The code was still tied to the architecture it was compiled for.
I thought there was also an x86 emulator, to run non-native code?
So... you want something that can't be found in a book? Like what?
It's not that it's not in a book per se. College is there to make you read books that you don't want to.
Good example: OpenSSH has had tens of holes just the last year
:)
We've got 8 in our bug database for 2001. Are you holding out on OpenSSH holes?