Call to politeness (Re: [HERT] Advisory #002 Buffer overflow in

From: alecm (alecmat_private)
Date: Fri Feb 19 1999 - 13:47:33 PST

Next message: Peter W: "Re: [HERT] Advisory #002 Buffer overflow in lsof"

Previous message: Eric Stevens: "Re: [HERT] Advisory #002 Buffer overflow in lsof"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[route wrote]
> Who is to say the vulnerability in question was NOT being exploited
> prior to release? Odds are it was. Bugtraq is a full-diclosure list.

Ah, jolly good... glad to know it still is...


> The `problem` as you succinctly put it is in *non-disclosure*. While
> it is still questionable whether or not the original posters found the bug
> themselves (the advisory lacked any technical detail) calling them part of
> the problem is a misfire of your disdain (attacking them on the content
> of the advisory --or lack thereof-- is a much better call).
[...etc...]

I can't fault you there, Route, either, and I understand both yours
and Spaf's viewpoints, and see the conflict as one of terminology...

I hope that neither of you would disagree that it was at least *impolite*
to not inform Vic Abell in advance of the posting of the so-named
"HERT" advisory?

I would go further to suggest that it was also *irresponsible* not to
do so, because the nature of software such as "lsof" (and most OSS tools)
is that it is maintained by one person, who has the say on what is and
is-not an "official" patch, and is likely to be the first point of
call by worried users who get scared up by such an advisory.

If Vic had been on vacation and unreachable, then a whole lot of
people might have got clogged up waiting for an "official" response,
leading to ensuing sheep-like panic and media coverage that we can
associate with novice systems administrators nowadays.


Alternatively, the HERT boys could have posted a patch (along with the
full-disclosure exploit you demand) - sure, but who's to say that if
we instill into the less-experienced readers of this list the notion
that they should install each and every patch which gets mentioned on
BUGTRAQ, that someone doesn't trojan one?

OK, so BUGTRAQ is moderated, and Aleph is waaaaaaay smart, but it
could happen someday.


So, perhaps calling the HERT posting "part of the problem" was abrasive,
but I think I see what Spaf's getting at, and what you are too.

Nonetheless, I believe that such a gross breach of politeness and
respect as is demonstrated by posting a exploit without warning the
author AT LEAST in real time, if not before, is disgusting.

I hope it is a long time before it happens again.

	- alec

Next message: Peter W: "Re: [HERT] Advisory #002 Buffer overflow in lsof"
Previous message: Eric Stevens: "Re: [HERT] Advisory #002 Buffer overflow in lsof"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:36:18 PDT