It appears that there is an intentional effort to give out false and misleading information to confuse people. Consider that in the last two weeks alone, there has been a fake snmp exploit from zen (which he says he didn't send), a fake (or really old) w00w00 exploit, fake TESO cowboy exploit, and several different rumors of vulnerabilities in apache and php. It's hard to know what's accurate and what isn't. In some cases (i.e., the fake zen snmp exploit), it is actually cause harm to the person running the exploit. I think that was the point. It would appear the intention is to confuse hackers and script kiddies so that they cannot tell the difference between what is and isn't real. This will obviously slow efforts in harvesting new exploits, because a hacker or script kiddie would have to sort through which new exploits are and aren't real. I find this part of the campaign to be somewhat honorable. However, I think another part of the campaign is to make the sources of security information (i.e., BugTraq and Vuln-Dev) untrustable, and that I disagree with. Security advisories have their purposes. They help legitimate users and administrators. I suppose it is a trade off between confusing those that you don't want getting accurate information and those you do. I think the likely instigators are the anti.security.is people with too much time on their hands. So, until they get jobs or girlfriends, I would take the posting here with a grain of salt. I would avoid running any exploits posted to this list and distrust any alleged vulnerabilities without verification from the vendor. If you really wanted to be altruistic, don't throw flames on the fire--stop distributing exploits you haven't verified.
This archive was generated by hypermail 2b30 : Tue Feb 26 2002 - 02:30:19 PST