[Koha-devel] Koha Library Software
Robin Sheat
robin at catalyst.net.nz
Mon Jun 6 15:23:23 CEST 2011
Op maandag 6 juni 2011 20:34:17 schreef MJ Ray:
> So let's document the current practice and make it easier? Changing
> the process, adding more steps and special bug cases seems wrong.
No it doesn't. (If you can claim something in that manner, so can I :)
> Delayed disclosure (the neutral name for what you describe, because it
That's not neutral at all.
> is highly irresponsible in the eyes of full-disclosure supporters) has
> often gone too far and resulted in people trying to keep problems
> secret for far too long, like until every vulnerable system is
> patched.
Well then you establish a policy that doesn't have those issues. Problem
solved.
> There are also the risks that someone inside the privileged
> group leaks information to attackers, while good people outside that
> privileged group don't even know that there's a problem.
If you release everything in a full disclosure manner, you give the attackers
information without getting it (and a fix) first to the people who have
something to defend and will require a bit of time to do so. I think that's a
bigger, actual risk than a hypothetical risk of disclosure. If you discover
it's already in use in the wild, then you release immediately, falling back to
full disclosure mode. Best of both worlds.
> Basically, what type of people are we? Would we tell our neighbours
> that their homes are insecure when there's a burglar about? Or would
> we keep quiet until we figured out how to secure our own home first?
You're making a strawman argument. In particular the "there's a burglar about"
bit. In this case, there isn't.
> As far as I know, early all of the vulnerabilities that Koha has
> suffered have been discoverable with fairly simple tools if you knew
> where to point them -
Yes, but (afaik) they are generally discovered long after they're implemented,
which suggests that this doesn't happen a lot.
> most have needed some access to intranet or
> related websites, thankfully.
That's more good luck than good management.
> I don't think there is any such standard (got a link?). Yes, many
> "open source" projects are really closed when it comes to security,
> but popularity is not a good argument for something, else Koha would
> almost never be adopted.
They're not closed. They're just not so open their brains fall out. They (in
general, and I'm sure there are pathalogical examples too) simply try to
ensure that a fix is available at the same time the attack information is
available.
Personally, I'm something of a fan of something along the lines of the policy
described here:
http://web.archive.org/web/20100813161135/http://www.wiretrip.net/rfp/policy.html
As an example, if you report a security issue on the Mozilla bug tracker, the
bug is closed by default until a fix is released. Then it's opened.
http://www.mozilla.org/projects/security/security-bugs-policy.html
This is far more involved than anything I'd suggest for Koha however. My main
concern is to avoid the world at large knowing how to exploit Koha before
anyone can quickly work around the issue (I might know how to mitigate a SQL
injection, but I go to one or two security conferences a year. Not everyone
does.)
> The disagreement between full and delayed disclosure has been going on
> in general for at least 150 years, and over 20 for internet security.
> We're probably not going to change each others' views, but at least
> know that not everyone wants delayed disclosure.
As someone who deploys Koha systems, I'd like to see a release of a fix with
an announcement so that I know I need to update now, and the information
required to do so is immediately available. If it's a difficult fix, then I'd
consider something that mitigates the issue to be acceptable.
--
Robin Sheat
Catalyst IT Ltd.
✆ +64 4 803 2204
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/koha-devel/attachments/20110607/562f35ad/attachment.pgp>
More information about the Koha-devel
mailing list