[route wrote] > Who is to say the vulnerability in question was NOT being exploited > prior to release? Odds are it was. Bugtraq is a full-diclosure list. Ah, jolly good... glad to know it still is... > The `problem` as you succinctly put it is in *non-disclosure*. While > it is still questionable whether or not the original posters found the bug > themselves (the advisory lacked any technical detail) calling them part of > the problem is a misfire of your disdain (attacking them on the content > of the advisory --or lack thereof-- is a much better call). [...etc...] I can't fault you there, Route, either, and I understand both yours and Spaf's viewpoints, and see the conflict as one of terminology... I hope that neither of you would disagree that it was at least *impolite* to not inform Vic Abell in advance of the posting of the so-named "HERT" advisory? I would go further to suggest that it was also *irresponsible* not to do so, because the nature of software such as "lsof" (and most OSS tools) is that it is maintained by one person, who has the say on what is and is-not an "official" patch, and is likely to be the first point of call by worried users who get scared up by such an advisory. If Vic had been on vacation and unreachable, then a whole lot of people might have got clogged up waiting for an "official" response, leading to ensuing sheep-like panic and media coverage that we can associate with novice systems administrators nowadays. Alternatively, the HERT boys could have posted a patch (along with the full-disclosure exploit you demand) - sure, but who's to say that if we instill into the less-experienced readers of this list the notion that they should install each and every patch which gets mentioned on BUGTRAQ, that someone doesn't trojan one? OK, so BUGTRAQ is moderated, and Aleph is waaaaaaay smart, but it could happen someday. So, perhaps calling the HERT posting "part of the problem" was abrasive, but I think I see what Spaf's getting at, and what you are too. Nonetheless, I believe that such a gross breach of politeness and respect as is demonstrated by posting a exploit without warning the author AT LEAST in real time, if not before, is disgusting. I hope it is a long time before it happens again. - alec
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:36:18 PDT