Re: [HERT] Advisory #002 Buffer overflow in lsof

From: Peter W (peterwat_private)
Date: Fri Feb 19 1999 - 14:58:00 PST

Next message: Alex Shnitman: "Re: [HERT] Advisory #002 Buffer overflow in lsof"

Previous message: alecm: "Call to politeness (Re: [HERT] Advisory #002 Buffer overflow in"
Maybe in reply to: Anthony C . Zboralski: "[HERT] Advisory #002 Buffer overflow in lsof"
Next in thread: Alex Shnitman: "Re: [HERT] Advisory #002 Buffer overflow in lsof"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 18 Feb 1999, Gene Spafford wrote:

> If there is a problem that is not known and not
> under attack,

How do you know that noone else has found or is using the exploit?

> notifying the vendor and waiting for a valid fix to appear is
> not going to result in anyone being hurt.

Surely a responsible person would not simply wait until the fix is
released; even under your rules of etiquette it only makes sense to wait a
"reasonable" amount of time.

> Posting an exploit widely for a
> previously unknown problem suddenly opens up all the current users to attack.

For proprietary software that cannot be disabled or replaced with an
equivalent piece of code, yes, probably. For software you have the source
code for, or "commodity" applications, or non-critical applications,
immediate disclosure might help. What if some Internet streaming media
server you used had a bug that could compromise a machine? Would you
rather know about it so you could save your tail (apologizing to
inconvenienced users, of course), or sit on that timebomb and hope the
vendor ships a new binary before someone else finds the problem?

In *this* instance, it seems that Vic Abell responded quickly, and I'd
tend to agree that HERT reacted poorly to their "find" -- although in
fairness while they announced a bug, apparently they did not publish
exploit code for the script kiddies.** Heck, if they know there's a
buffer overflow and they have the source, would it kill the HERT folks to
write their own patch? That's the real crime here: if you have the source
and are code-literate, why don't you provide a fix? Give something back,
for crying out loud!

But your sweeping generalizations about what responsible people should do
is ill-conceived and smacks of someone coming to knee-jerk defense of a
local friend and colleague.

-Peter, who guesses Spaf will never autograph his copy of PU&IS now ;-)

** which could bring us into the nasty rootshell/SSH circle -- how do you
*know* the hole is real if you don't have the exploit code or a patch?

Is Big Brother watching you? Intel is planning on it.
With Pentium III, there won't be any online privacy. Act now.
 http://www.privacy.org/bigbrotherinside/

Next message: Alex Shnitman: "Re: [HERT] Advisory #002 Buffer overflow in lsof"
Previous message: alecm: "Call to politeness (Re: [HERT] Advisory #002 Buffer overflow in"
Maybe in reply to: Anthony C . Zboralski: "[HERT] Advisory #002 Buffer overflow in lsof"
Next in thread: Alex Shnitman: "Re: [HERT] Advisory #002 Buffer overflow in lsof"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:36:19 PDT