The "Sudo flaw lets Linux users run commands as root..." article
-
(I posted this comment on HackerNews as well): IMHO, publishing an article describing the existence of an OS or App flaw is possibly (I say that cautiously) a legitimate thing to do. But to not only describe the flaw in explicit detail, but to demonstrate how to exploit it, is irresponsible. What's next? A bunch of hackers thrashing about trying to make hay with this information before the hole is plugged in who-knows-how-many targets? I think more responsibility ought to be placed on those who disseminate this kind of information, in cases where it ends up causing harm of any kind.
-
(I posted this comment on HackerNews as well): IMHO, publishing an article describing the existence of an OS or App flaw is possibly (I say that cautiously) a legitimate thing to do. But to not only describe the flaw in explicit detail, but to demonstrate how to exploit it, is irresponsible. What's next? A bunch of hackers thrashing about trying to make hay with this information before the hole is plugged in who-knows-how-many targets? I think more responsibility ought to be placed on those who disseminate this kind of information, in cases where it ends up causing harm of any kind.
Stick it in your blog or make it a comment on the article.
-
(I posted this comment on HackerNews as well): IMHO, publishing an article describing the existence of an OS or App flaw is possibly (I say that cautiously) a legitimate thing to do. But to not only describe the flaw in explicit detail, but to demonstrate how to exploit it, is irresponsible. What's next? A bunch of hackers thrashing about trying to make hay with this information before the hole is plugged in who-knows-how-many targets? I think more responsibility ought to be placed on those who disseminate this kind of information, in cases where it ends up causing harm of any kind.
The term you're looking for is "responsible disclosure". The Linux community is always quick to rail against Microsoft for taking its sweet time to implement fixes, so given that this particular problem already has a fix, I don't think it's unfair to have these details disclosed at this point in time. Somewhat related: What I personally don't appreciate is the fact that a lot of vulnerabilities are now well-known, and I have a bunch of Android-based devices that never get any security update, so I'm very much at risk if I wanted to use any of those devices to do any sort of semi-important transaction. My newest device is on Android 6. At the time I concluded I only have myself to blame if I keep buying hardware that never gets security fixes, so I figured that was going to be my last. At some point after that, Google made some sort of vague promise that all devices would get upgrades no matter how laggard an OEM is. Has the situation changed? Should I believe that and spend a couple more hundred bucks again? I'd feel pretty stupid if I did without any assurance...
-
The term you're looking for is "responsible disclosure". The Linux community is always quick to rail against Microsoft for taking its sweet time to implement fixes, so given that this particular problem already has a fix, I don't think it's unfair to have these details disclosed at this point in time. Somewhat related: What I personally don't appreciate is the fact that a lot of vulnerabilities are now well-known, and I have a bunch of Android-based devices that never get any security update, so I'm very much at risk if I wanted to use any of those devices to do any sort of semi-important transaction. My newest device is on Android 6. At the time I concluded I only have myself to blame if I keep buying hardware that never gets security fixes, so I figured that was going to be my last. At some point after that, Google made some sort of vague promise that all devices would get upgrades no matter how laggard an OEM is. Has the situation changed? Should I believe that and spend a couple more hundred bucks again? I'd feel pretty stupid if I did without any assurance...
:thumbsup::thumbsup:
dandy72 wrote:
Has the situation changed?
No
dandy72 wrote:
Should I believe that and spend a couple more hundred bucks again?
No really needed
dandy72 wrote:
so I'm very much at risk if I wanted to use any of those devices to do any sort of semi-important transaction
I have never used a phone to make semi important transactions yet, and I think I will never do. I have bought a new "smartphone" not long ago, but because my old one was having hardware problems (battery dying) and to fix it would have been more expensive (apple) than what I paid for the current phone (average Samsung)
M.D.V. ;) If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about? Help me to understand what I'm saying, and I'll explain it better to you Rating helpful answers is nice, but saying thanks can be even nicer.
-
The term you're looking for is "responsible disclosure". The Linux community is always quick to rail against Microsoft for taking its sweet time to implement fixes, so given that this particular problem already has a fix, I don't think it's unfair to have these details disclosed at this point in time. Somewhat related: What I personally don't appreciate is the fact that a lot of vulnerabilities are now well-known, and I have a bunch of Android-based devices that never get any security update, so I'm very much at risk if I wanted to use any of those devices to do any sort of semi-important transaction. My newest device is on Android 6. At the time I concluded I only have myself to blame if I keep buying hardware that never gets security fixes, so I figured that was going to be my last. At some point after that, Google made some sort of vague promise that all devices would get upgrades no matter how laggard an OEM is. Has the situation changed? Should I believe that and spend a couple more hundred bucks again? I'd feel pretty stupid if I did without any assurance...
I bought a Nokia with Android One this year; it gets actual system updates over the cellular network, which is pretty sweet. Beats the hell out of installing some OEM software on my PC and walking through an arcane update process that fails if you breathe wrong.
"Never attribute to malice that which can be explained by stupidity." - Hanlon's Razor
-
:thumbsup::thumbsup:
dandy72 wrote:
Has the situation changed?
No
dandy72 wrote:
Should I believe that and spend a couple more hundred bucks again?
No really needed
dandy72 wrote:
so I'm very much at risk if I wanted to use any of those devices to do any sort of semi-important transaction
I have never used a phone to make semi important transactions yet, and I think I will never do. I have bought a new "smartphone" not long ago, but because my old one was having hardware problems (battery dying) and to fix it would have been more expensive (apple) than what I paid for the current phone (average Samsung)
M.D.V. ;) If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about? Help me to understand what I'm saying, and I'll explain it better to you Rating helpful answers is nice, but saying thanks can be even nicer.
Nelek wrote:
I have never used a phone to make semi important transactions yet, and I think I will never do.
I'm in the same boat. People trust their phones waaaaay too much. Android devices never get fixed. Apple has now been caught sending browser queries to China. Y'know what? I'm sticking with my Windows phone. It's such a small user base, the bad buys don't bother. And yet it's still getting regular updates (despite being absolutely dead, according to the pundits)