Bugtraq mailing list archives
Call to politeness (Re: [HERT] Advisory #002 Buffer overflow in
From: alecm () CRYPTO DIRCON CO UK (alecm)
Date: Fri, 19 Feb 1999 21:47:33 +0000
[route wrote]
Who is to say the vulnerability in question was NOT being exploited prior to release? Odds are it was. Bugtraq is a full-diclosure list.
Ah, jolly good... glad to know it still is...
The `problem` as you succinctly put it is in *non-disclosure*. While it is still questionable whether or not the original posters found the bug themselves (the advisory lacked any technical detail) calling them part of the problem is a misfire of your disdain (attacking them on the content of the advisory --or lack thereof-- is a much better call).
[...etc...]
I can't fault you there, Route, either, and I understand both yours
and Spaf's viewpoints, and see the conflict as one of terminology...
I hope that neither of you would disagree that it was at least *impolite*
to not inform Vic Abell in advance of the posting of the so-named
"HERT" advisory?
I would go further to suggest that it was also *irresponsible* not to
do so, because the nature of software such as "lsof" (and most OSS tools)
is that it is maintained by one person, who has the say on what is and
is-not an "official" patch, and is likely to be the first point of
call by worried users who get scared up by such an advisory.
If Vic had been on vacation and unreachable, then a whole lot of
people might have got clogged up waiting for an "official" response,
leading to ensuing sheep-like panic and media coverage that we can
associate with novice systems administrators nowadays.
Alternatively, the HERT boys could have posted a patch (along with the
full-disclosure exploit you demand) - sure, but who's to say that if
we instill into the less-experienced readers of this list the notion
that they should install each and every patch which gets mentioned on
BUGTRAQ, that someone doesn't trojan one?
OK, so BUGTRAQ is moderated, and Aleph is waaaaaaay smart, but it
could happen someday.
So, perhaps calling the HERT posting "part of the problem" was abrasive,
but I think I see what Spaf's getting at, and what you are too.
Nonetheless, I believe that such a gross breach of politeness and
respect as is demonstrated by posting a exploit without warning the
author AT LEAST in real time, if not before, is disgusting.
I hope it is a long time before it happens again.
- alec
Current thread:
- IE0199.exe uninstaller, (continued)
- IE0199.exe uninstaller David Brumley (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Weld Pond (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Valdis.Kletnieks () VT EDU (Feb 19)
- Plaintext Password in Tractive's Remote Manager Software Trevor Gryffyn (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Peter W (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof John DiMarco (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof brian j pardy (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Greg Woods (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof route () RESENTMENT INFONEXUS COM (Feb 18)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Fred W. Noltie Jr. (Feb 19)
- Call to politeness (Re: [HERT] Advisory #002 Buffer overflow in alecm (Feb 19)
- pine 4.10 patches (similar to 4.05) GvS (Feb 20)
- Re: [HERT] Advisory #002 Buffer overflow in lsof M.C.Mar (Feb 20)
- full disclosure and vendor education Antonomasia (Feb 20)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Lamont Granquist (Feb 18)
- Win98 Buffer Overflow (File attached) Scott (Feb 14)