On Thu, 18 Feb 1999 routeat_private wrote: > [Gene Spafford wrote] > | > | People who publish bugs/exploits that are not being actively exploited > | *before* giving the vendor a chance to fix the flaws are clearly > | grandstanding. They're part of the problem -- not the solution. > | > > Who is to say the vulnerability in question was NOT being exploited > prior to release? Odds are it was. Bugtraq is a full-diclosure list. > The `problem` as you succinctly put it is in *non-disclosure*. While > it is still questionable whether or not the original posters found the bug > themselves (the advisory lacked any technical detail) calling them part of In the adv. there was written: Author: Mariusz Tmoggie Marcinkiewicz <tmoggieat_private> I'm the witness that he DID found a bug themselfe (maybe he was not FIRST ever). Tmoggie called me tuesday evening and he said that there is a bug in lsof (he was prepairing CD with S.u.s.e distribution, so he installed it and did some find for suid/sgid files). Next day, I found his mail about it (which was addressed to hert and lam3rz mailing lists) in my mailbox, so I wrote an exploit (it took me about half an hout), I used slackware linux. After that I posted it back to HERT. Becouse of something there was a lot of rumor about this vul. on #hax channel on IRC, so Anthony Zboralski <aczat_private> HERT maintainer decided to write an advisory to made it public. > the problem is a misfire of your disdain (attacking them on the content > of the advisory --or lack thereof-- is a much better call). The problem, > in this case, would be the malevolent individual(s) breaking into your > machine exploiting this bug (before or after it was disclosed). > So now you know WHY it was published so fast, without giving a chance to fix it... BTW: finding such kind of vulnerability is not so hard! As I can undestand that authors of lsof could be not familiar with security, but I cannot undestand WHY people that are NOT good in security issues are doing COMMERCIAL distributions (like S.u.s.e or RH)??? > Don't shoot the messenger. :) -- Kil3rat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:36:29 PDT