[asterisk-dev] Re: Security Through Obscurity
Anthony Lamantia
anthony at petabit.net
Sun Mar 4 22:44:47 MST 2007
>In this case, we took the action to document that it was fixed and told
>users they should upgrade (and why), because I don't believe this
>particular issue was reported by an auditing company
it would have been nice to know a problem existed in chan_sip (on the
website, without having to ask or searching the commits list) and great if a
advisory was posted to one or all of the popular security mailing lists.
>If you want someone to post an analysis
>of what the problem was and show you how to exploit it, contact them
>(they seem to be interested in getting paid for fixing people's systems
>anyway <G>).
when i was scanning seclists.org earlier this morning I saw that there was a
exploit tool for this vulnerability published and available .. and i don't
think anyone here is making money off the security problems in the code.. if
anything the inverse is true losing money in lost customers who can be
effected by this sort of problem.
On 3/4/07, Kevin P. Fleming <kpfleming at digium.com> wrote:
>
> Matthew Rubenstein wrote:
> > This security reality is well known in the programming industry.
> I'm
> > disappointed to see Digium acting as if it weren't.
>
> What is obscured? We clearly stated that the vulnerability existed, the
> patch to fix it was public, the release that contained that patch was
> public.
>
> You would prefer that we enable people who don't have a clue how to
> write an exploit to write one anyway by giving them instructions? How
> does that benefit anyone? Your comments imply that we are denying that
> the problem exists, or hiding what the fix was. Nothing could be further
> from the truth.
>
> Every single vulnerability we have corrected since I joined Digium
> (which, I believe, is now five) was reported to us privately, fixed
> quickly with an open-source patch as we always do, and then (except for
> this last one) the company that found the vulnerability made a press
> release/security advisory detailing what the flaw was and documenting
> when/how it was fixed, what versions were affected, and what users
> should do to protect themselves.
>
> In this case, we took the action to document that it was fixed and told
> users they should upgrade (and why), because I don't believe this
> particular issue was reported by an auditing company so there won't be
> an independent release about it. If you want someone to post an analysis
> of what the problem was and show you how to exploit it, contact them
> (they seem to be interested in getting paid for fixing people's systems
> anyway <G>).
> _______________________________________________
> --Bandwidth and Colocation provided by Easynews.com --
>
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-dev/attachments/20070304/2c1ec5d7/attachment-0001.htm
More information about the asterisk-dev
mailing list