-----BEGIN PGP SIGNED MESSAGE----- >Well it seems some people still believe in security through >obscurity. Three weeks after the vulnerability was announced >the people with the knowledge of the details have not >disclosed further information (hi Russ). Hi Elias. Why did you release this today? You say its been in your vulnerability database since 7/29, yet no message was ever sent to Bugtraq about it. Were you, like me, withholding details until a fix? >Now that same people are asking whether the information should >be disclosed at all (and trying to get some nice publicity out >of it). "some nice publicity"?? Give me a break, I want to ensure that the thing is as widely published as possible so everyone can realize they need to get a fix. Why didn't you do the same? Oh, I forgot, that's not Bugtraq's job. >Well guess what? An exploit is been around for quite a while now. >We've had an exploit in the SF vulnerability database for some >time now. We refer to this vulnerability as BUGTRAQ-ID 548 >"Microsoft JET ODBC Vulnerability". Again, had it for some time yet never published its existence. Or did you just let a select few know about it? >Now without knowing the full details of the vulnerability we >can only guess that this exploit exercises the same >vulnerability. Maybe the people in the known will enlighten >us? Well, with the module password protected it seems clear you're not out to get that critique very quickly. Maybe if you'd let someone know the details we'd be able to answer you. As it is, we're simply left with what appears to be the same exploit. >Now what does this teach us? That trying to keep the details >of a vulnerability secret while at the same time announcing >it existence does not work. If you are going to announce a >vulnerability, provide all the details. Otherwise keep the >vulnerability to yourself. Um, Elias, you announced the vulnerability on Bugtraq on the same day I announced it on NTBugtraq...then you received the exploit details sometime after that...then you kept those details private both by not announcing the availability of the exploit code to Bugtraq **and** by making the exploit code readily unavailable by password protecting it. Who's calling the kettle black here? >BUGTRAQ and Security Focus will always be committed to >full disclosure. Your mileage may vary with others. And all power to you, but you should at least try and abide by your own definition of what full disclosure means. You got the exploit code and didn't tell your list?? You release it but don't let anyone see how it works?? Which part of this is "full disclosure" and which part is an attempt to prevent NTBugtraq from receiving what you call "some nice publicity"?? Your message has simply stated that you are willing to compromise your own goals and values to ensure NTBugtraq doesn't get publicity on something that Bugtraq can. I personally don't care if NTBugtraq gets mentioned anywhere in this story, as long as the public is alert and made aware of the threat of exploit. Since I've never seen Bugtraq quoted in the main-stream media, I sorta thought you all were useless at that sort of thing. Maybe I'm wrong...we'll see I guess. If, however, SecurityFocus can find some other way to pummel me and NTBugtraq, please do so, I doubt the public needs this sort of angst. Cheers, Russ - NTBugtraq Editor -----BEGIN PGP SIGNATURE----- Version: PGP 6.0.2 iQCVAwUBN7svExBh2Kw/l7p5AQEtWwQAsGbbJErb5D/XMGCXbiQFHHv8wbsC0qG8 MImI38qQghNQbQtXyTvHMJvgTF3D85R/l5yJ3WfSQ1F39fL4lb9YlowyxfS6vZlk Pvdrd37tRpci1FP9+3fMovZhTB4JL3YWgZW4pId3ewCsDB74N5KUBTNjX54SSwWz eDdSOy47llI= =6r6u -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:56:50 PDT