Bugtraq mailing list archives

Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994

From: spaf () cs purdue edu (Gene Spafford)
Date: Tue, 29 Nov 1994 12:32:32 -0500


On Mon, 28 Nov 1994 19:47:52 -0500 I wrote:

Pat,

In the spirit of your message:

You've been skipping your Prozac again.  Naughty, naughty!

--spaf

Part of the intergalactic conspiracy to keep widely known security information 
away from Pat.



Several people berated me for the above post, pointing out that I was
beginning to stoop to Pat's level of insulting behavior.  However,
after 14 years on the net, I *still* find it difficult to ignore
slanderous rants directed at me.  But if I had responded to the
content of Pat's message, it would have somewhat dignifyed it.  I
obviously should have ignored it, as most readers of this list
undoubtedly viewed Pat's insults and falsehoods for what they were
(those that didn't aren't worth worrying about).

So, my apologies to everyone on bugtraq for that minor lapse in
professional behavior.  Also, my thanks to all of you who wrote
personal mail to me about it, pro and con (but special thanks to those
of you offering humorous follow-ups).

-------------

As to this whole thread on disclosure, it maybe doesn't belong in
bugtraq, although bugtraq is about bugs and Unix security.  There
really isn't another good forum for the discussion, however, and it is
directed at one of the precepts of bugtraq's charter.  It is also
interesting to note how many people fail to understand the difference
between folklore and fact, between superstition and proof.

Many people want it stopped because they have no doubts about full
disclosure being the best thing to do.  One cannot reason with belief
(they have different foundations). They may be right, they may be
wrong, but they don't want their beliefs challenged, so perhaps we
should let the thread die off (or maybe someone will create another
list?).

I've answered over 50 pieces of mail on this general topic in the last
few days. There's not much more to say, which is good, because my
fingers are getting quite tired and many of you have had enough!
Luckily, I'm headed out of town for a research meeting, so I can give
my keyboard a rest (so please don't write me for a while!)

-------------

Let me recap some points that keep coming up.  Many of these should be
obvious to people, but curiously aren't:

 1) one or two (or three) instances does not establish a proof
 2) cause and effect are not proven by temporal order; pigeons can
    be trained to peck at a key expecting food to appear by having
    that happen randomly a few times.  I would hope no pigeons are
    posting to bugtraq, but statements such as "We'll look at recent
    disclosures and subsequent patch releases -- that will prove disclosure
    works" leads one to wonder.
 3) Most vendors could do a better job
 4) Some vendors could do a MUCH better job
 5) Very few people in this community seem to be asking themselves how
    to constructively encourage #3 and #4, and many instead prefer
    extortion.
 6) Remember Hanlon's Razor when talking about vendor response: "Never
    attribute to malice that which can be adequately explained by 
    stupidity."  :-)  Screwups and overwork probably lead to more 
    problems than do conspiracy and evil intent.
 7) Only telepaths have a hope of discerning the true motivations behind
    another's behavior. 
 8) The situation continues to change, and things are probably better
    now than they were even as recently as a year ago

I also note that many people seem to think that I have lots of secret
vulnerability information, or that I get lots of exploit scripts.
(Maybe that explains why there are so many attempts to break into
machines here?)  The truth is, people almost never report new bugs to
me, vendors and CERT don't share the ones they hear about, and I don't
keep secret any that I hear about -- they all get passed on to the
vendors.  Furthermore, the only exploit scripts I recall seeing in the
last 18 months have come from bugtraq -- including all the ones we
have captured from clumsy crackers.  (And please don't send me any to
make up for this!  I have no use for exploit scripts, and I don't want
to have any around to tempt people; my research is into underlying
technology rather than hacking tools.)

I've been asked to give a talk at SANS next year...I think I'll try to
do a paper on the pros and cons of disclosure.  Of course, as a member
of the intergalactic conspiracy, we won't allow any of you to get a
copy.:-)

Finis,
--spaf

Current thread:

Full vs. Partial Dsiclosure, (continued)
- - - Full vs. Partial Dsiclosure Nathan Lawson (Nov 28)
    - (fwd) In reply to comments about new policy (fwd) Paul 'Shag' Walmsley (Nov 28)
    - Re: (fwd) In reply to comments about new policy (fwd) anthony baxter (Nov 28)
    - Old vulnerability disclosure please? (fwd) Jeon Young-mi (Nov 29)
    - Re: (fwd) In reply to comments about new policy (fwd) Pug (Nov 30)
    - Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994 Robert M. Haas (Nov 29)
  - Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994 Casper Dik (Nov 29)
    - Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994 Doug Siebert (Nov 29)
  - STOP! Aleph One (Nov 29)
- Re: Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994 Pete Hartman (Nov 28)
- Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994 Gene Spafford (Nov 29)
  - Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994 Pat Myrto (Nov 29)
    - Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994 Karl Strickland (Nov 30)
- Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994 RAS () CACDVAX CACD ROCKWELL COM (Nov 29)
  - Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994 Gene Spafford (Nov 30)