*BSD News Article 89104


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.cs.su.oz.au!metro!metro!munnari.OZ.AU!spool.mu.edu!howland.erols.net!worldnet.att.net!arclight.uoregon.edu!super.zippo.com!zdc!szdc!szdc-e!news
From: "John S. Dyson" <dyson@freebsd.org>
Newsgroups: comp.os.linux.advocacy,comp.unix.bsd.misc,comp.os.linux.misc
Subject: Re: Linux vs BSD
Date: Mon, 10 Feb 1997 20:08:30 -0500
Organization: John S. Dyson's home machine
Lines: 89
Message-ID: <32FFC68E.167EB0E7@freebsd.org>
References: <32DFFEAB.7704@usa.net> <KETIL-ytqiv47v56j.fsf@pinro.imr.no> 	<5daavp$8lp@panix2.panix.com> <KETIL-ytqbu9yfheu.fsf@imr.no> 	<5dfcpj$t45@agate.berkeley.edu> <DERAADT.97Feb7073546@zeus.theos.com> <32FB463E.167EB0E7@freebsd.org> <slrn5fvd0r.ck7.tqbf@char-star.rdist.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Mailer: Mozilla 3.01 (X11; I; FreeBSD 3.0-CURRENT i386)
Xref: euryale.cc.adfa.oz.au comp.os.linux.advocacy:83846 comp.unix.bsd.misc:2492 comp.os.linux.misc:158316

Thomas H. Ptacek wrote:
> 
> Fri, 07 Feb 1997 10:11:58 -0500 dyson@freebsd.org:
> 
> While I am happy that Mr. Greenman and the FreeBSD Project are flexible
> and understanding enough to give troubleshooters the access required to
> fix the problems they find, the core issues that led to my limited
> involvement with FreeBSD have not yet been resolved.
>
The fact is that FreeBSD is much faster in responding to problems
tha commercial software.  You are as welcome to be involved as you
wish, since FreeBSD is a cooperative effort.  If you use FreeBSD, then
it benefits you to help with it.  If you don't use FreeBSD, then
there are other alternatives.

>
> I still feel that FreeBSD, Inc. is not sufficiently open and forthcoming
> with security issues that come to their attention. Representatives of
> FreeBSD, Inc. have explicitly stated, in public, that notifying their
> users of security issues discovered by FreeBSD proponents (as opposed to
> security issues discovered by criminals) amounts to "airing their dirty
> laundry".
>
I am also a representative of FreeBSD in this specific context, and
it is NOT an issue of airing their dirty laundry, but more an issue
of alerting lame hackers.  Frankly, I do NOT run around in the
hacker community, and do NOT know what is known in that shady place.

>
> Evidently, FreeBSD, Inc. would like their thousands of users to
> learn about security problems by being broken into.
> 
Wrong conclusion.

>
> While I understand and respect FreeBSD, Inc.'s desire to engineer the
> "correct" fix to problems before going "public" with them, I feel that
> open, full disclosure is a far more important immediate objective than
> perfect patches. Often, security issues can be resolved immediately,
> without program modification, with "chmod 0000".
>
So you would do that to your entire tree?  That is the problem that
we had to deal with.  

> 
> Of course, FreeBSD and I have two very different perspectives on this
> situation. FreeBSD, Inc. operates from the perspective of experienced
> operating system developers. My attitudes are generated from an intimate
> familiarity with the workings of the computer underground. Unlike the
> FreeBSD Project, I work under the assumption that any security problem
> found in FreeBSD's code has been discovered previously by someone else
> with the ability and willingness to exploit it. Therefore, from my
> perspective, there's no point in not fully disclosing issues as their
> existance becomes apparent.
> 
Bingo.  Most of us just don't run around in those circles, and find them
to be unsavory anyway.  I also have very tight ethics rules that I have
to follow -- and the hacker community (the bad kind of hackers that is)
is not where I want to tread.

> 
> It seems to be that FreeBSD's apperant hesitation to deal directly with
> OpenBSD and OpenBSD's fixes does a disservice to their users. I would like
> to understand the source of tension between the two projects, and think
> that a dialogue between OpenBSD and FreeBSD developers would do a world of
> good for many, many organizations running FreeBSD code.
>
The problem goes both ways, and the history of FreeBSD/NetBSD has been
mostly a result of misunderstandings due to differences of emphasis and
the very weak communications mechanism that email appears to be. 
FreeBSD
will have the security problems plugged, and hopefully you will help as
this is a volunteer effort and continue to make money using FreeBSD
as a tool.

>
> Thanks for taking the time to read this.
>
Frankly, FreeBSD has responded very quickly, and had the last
set of problems fixed in approx 1 wk.  We have been trying to
open communications with various ISPs in order to find out what
help they need, but please don't ask us (especially me) to
deal with the unsavory underside of the computer community.
There are those that will, but I for one won't.

John Dyson
dyson@freebsd.org (FreeBSD-core)