[asterisk-dev] Re: Security Through Obscurity

[Jared Mauch]

On Mon, Mar 05, 2007 at 12:51:46PM +0200, Tzafrir Cohen wrote:
> On Mon, Mar 05, 2007 at 08:58:04PM +1100, Edwin Groothuis wrote:
> 
> > 
> > The issue is there, the problem is in the field. The bad guys knew
> > the moment you announced it, the good guys could have known it a
> > little bit earlier if they were warned.
> 
> I figure that this was the original intention. But then some "solution
> provider" decided he could help a few select customers of his and
> alarmed the whole world.

	Exactly.  My big comment on this is in previous "security" notices
folks have said "it's an issue with the chan_skinny driver, you needn't
have to have a phone configured" and this time it's just "Uh, upgrade!".

> > Digium has its policy with regarding to this, and I will respect
> > them, but as you can see, I don't fully agree with it.
> 
> I figure that for many if not most people "upgrading to the latast stable 
> version" is not practical: there are simply too many changes even 
> between versions of 1.2 and upgrading is generally considered a non-safe 
> step that requires testing.

	This is the case with any system with a large userbase.  I deal with
some large companies that put us in places where we can't fix security
bugs because the most recent is too buggy for us to use.  I was quite
happy to see a 1.2 version as 1.4 crashes too often in our environment
and I don't have the time to debug it that I would like to have.

> I fully appreciate, though, Digium's efforts for backporting fixes to 
> 1.2 as well as 1.4.

	As do I, and I understand there is a balance that needs to happen
but this time I think it went a bit too far on the protect information
side.

	(I'm looking at the difference between these two:
http://www.asteriskpbx.org/taxonomy/term/32)

	- jared

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.