Re: Fwd: Any user can panic OpenBSD machine

[mejenn01 () STARBASE SPD LOUISVILLE EDU (Michael Jennings)]

On Monday, 27 July 1998, at 22:05:45 (-0600),
Theo de Raadt <deraadt () CVS OPENBSD ORG> wrote:

> However, this bug does not by itself provide anyone with a way to gain
> elevated priviledges and greater control of the system.  That is what
> most of us normally call an 'exploit', or has the lingo changed
> recently?

I won't even begin to count the "exploits" which have passed across
this list recently that result in no machine compromise other than
simple denial of a single service.  I can't understand why one would
want to point fingers at this particular issue, especially in light
of the fact that it deals with the DoS of the entire operating system,
after so many recent examples of much tamer "exploits."

> On the other hand, my guess is that people expect a whole lot of
> OpenBSD now, which well, is fine, we will continue to try.. but don't
> get too upset if a few human failings show through.  I am on a few
> Linux developer mailing lists, and I see ways to crash Linux get
> discussed all the time.  But I have not seen many ways to crash Linux
> on BUGTRAQ, so I think people expect more of us.

Don't people always expect more of those who, at least in their own
minds, have more to prove?  Just look at the consumer expectations
of NT versus those of UNIX....

> Well, I find it hard to believe that you are making that particular
> statement without bias.  We are human, too.  We make mistakes from
> time to time.  Who knows, maybe tomorrow someone will crash your
> machine using such an `exploit' for your favorite operating system.

Perhaps so.  And if they do, rest assured that I'll post the exploit
information to BUGTRAQ.  That is, after all, the whole point, isn't
it?  Passing information into the hands of those who need it and may
be affected by it.

> Black hats distribute information on how to crash systems?  I thought
> they were concentrating on breaking root.

Then you haven't been paying attention lately.  Let's see here...
ping of death...NT BSOD exploits a-plenty...Exchange Server and IIS
DoS attacks...Appex terminal server DoS....  I could go on for days.

As much as I agree with you 99.9% of the time, I have to take issue
with this one, Theo.  Perhaps it hit closer to home than some, but it's
still an exploit.

Michael

--
 "Though it's been a while now, I can still feel so much pain.  Like
  the knife that cuts you, the wound heals, but the scar, that scar
  remains."                      -- Poison, "Every Rose Has Its Thorn"
=======================================================================
Michael Jennings        http://www.tcserv.com/         <mej () tcserv com>
Senior Systems Engineer, Synectics, Inc.      http://www.synectics.com/