Date: Tue, 17 Sep 2002 19:00:18 GMT
Partial reproduction follows:
>> Date: Mon, 16 Sep 2002 21:47:56 GMT
>> Partial reproduction follows:
>>> A quick workaround was to touch /tmp/.bugtraq.c;
>>> chmod 000 /tmp/.bugtraq.c; chattr +isu /tmp/.bugtraq.c
>>> After that, I sorta took my time in upgrading.
>> So, uh, there's a flaw in something you're (presumably) running that
>> allows arbitrary code execution, so your response is to protect your
>> system against one specific implementation of an exploit for it, and
>> then cease worrying about it?
>> Knowing full well that if someone created a version that, say, used
>> /tmp/.bugtraq.C, your machine would be infected?
>> Madness, absolute madness.
> I said I sorta took my time in upgrading...I didn't say I ceased
> worrying about it.
Okay, so you protected your system against a specific implementation of
the exploit, and then sat back and continued worrying about it. Gotcha.
Quote:> Re-read and comprehend.
Quote:> I expect a 3 page essay by tomorrow afternoon on what you took your
> time to understand.
Are we talking 24-line pages, or A4 or Letter sized sheets in 8pt font?
Well, I'll give it a shot, but this is going to be quite difficult. Can
I count this fluff as part of the essay? Dammit, and I'm further cursed
by an irrational need to full-justify ever single f*cking line. *.
Oh well. Without further ado, I submit for your approval the following
essay on the topic of, "What Michael took his time to understand."
I believe that the failure in understanding, regrettably, lies not with
my interpretation of your post (wherein you said you "sorta took [your]
time in upgrading"), but rather lies in your interpretation of my reply
to the aforementioned post.
It is certainly true, however, that I was perhaps a little blunt in my
response; my intention was to highlight what I perceived to be a rather
strange response to discovering one's system is potentially vulnerable,
and in so doing, I quite likely created the misconception that I hadn't
fully grasped the meaning and implications of what you were saying. For
that, I can only offer my sincerest apologies.
As to why I found your reaction so strange in the first place, allow me
to explain. This perception of mine (that is, of your reaction to this
situation being unusual, unexpected, or "strange") is largely due to my
assumptions about yourself and your own motivations. It's likely these
assumptions may be mistaken, so allow me to elaborate in a neat little,
space-consuming, numbered list:
1. By the mere fact that you took action (the quick workaround that you
mentioned) to secure your system from the potential attack indicates
that you are concerned about your system's security, or at the very
least would prefer it not become another victim of the exploit.
2. You said that you "took [your] time in upgrading". This implies to
me that you knew an upgrade would solve the problem at the time that
you were implementing the workaround, which further implies that the
upgrade was available in one form or another for your system.
3. My understanding of common security practices is such that, upon an
administrator who is security-conscious (as I assumed you to be, due
to point #1 above) discovering that they are vulnerable to a problem
for which an update which corrects the problem exists, would wish to
upgrade to the new version in the shortest possible amount of time.
So, given that I was operating under these assumptions -- which may, of
course, be partially or wholly inaccurate -- it follows that I would be
expecting someone in your position to acquire an updated version of the
software in question that corrects the problem.
Since you indicated that your response to this potential exploit was to
implement a "quick workaround" for the particular problem (whilst still
leaving the actual problem unfixed and open to potential abuse), I felt
somewhat compelled to respond in the manner I did. The purpose of this
was more to warn others that the quick workaround you posted should not
be considered in any way a "solution" to the problem.
I did not mean to imply that you personally considered it a solution as
such; however, your implied complacency (in that you "took your time in
upgrading") may have been interpreted by others as an excuse not to get
the appropriate update(s) for their system(s). I certainly saw that it
could be taken in that way, and chose to respond as if that was indeed
what you intended, as a tool to make my point about it not being a very
good solution to the problem clearer.
Clearly, you took offense at the manner in which I responded to you, so
I apologise and hereby retract any statements which you found offensive
as my intention was not to berate, scold, make fun of or flame you, but
merely to warn others that correcting the symptom of a flaw is *not* an
I hope this clears matters up.
Mike. Remove "-spam" to mail me. Better yet, don't mail me. ;-)
:wq (Hot damn, only two typos in that whole piece!)