[asterisk-dev] Re: Security Through Obscurity

[Kevin P. Fleming]

Matthew Rubenstein wrote:
> 	This security reality is well known in the programming industry. I'm
> disappointed to see Digium acting as if it weren't.

What is obscured? We clearly stated that the vulnerability existed, the
patch to fix it was public, the release that contained that patch was
public.

You would prefer that we enable people who don't have a clue how to
write an exploit to write one anyway by giving them instructions? How
does that benefit anyone? Your comments imply that we are denying that
the problem exists, or hiding what the fix was. Nothing could be further
from the truth.

Every single vulnerability we have corrected since I joined Digium
(which, I believe, is now five) was reported to us privately, fixed
quickly with an open-source patch as we always do, and then (except for
this last one) the company that found the vulnerability made a press
release/security advisory detailing what the flaw was and documenting
when/how it was fixed, what versions were affected, and what users
should do to protect themselves.

In this case, we took the action to document that it was fixed and told
users they should upgrade (and why), because I don't believe this
particular issue was reported by an auditing company so there won't be
an independent release about it. If you want someone to post an analysis
of what the problem was and show you how to exploit it, contact them
(they seem to be interested in getting paid for fixing people's systems
anyway <G>).