Bugtraq mailing list archives
Re: [HERT] Advisory #002 Buffer overflow in lsof
From: jsb4ch () HOTMAIL COM (johann sebastian bach)
Date: Fri, 19 Feb 1999 15:33:51 PST
if you are an advocate of computer security, it makes logical sense to notify the vendor of the program before you notify a sea of potential exploiters, *regardless* of whether or not the potential exploiters know of the problem (why blindly assume that they do?). from the point of view of advocates of computer security, full disclosure shouldnt be regarded as some sort of golden truth, rather, as a tool to learn from mistakes made in the past. in accordance, vendors should be allowed to patch a bug before its existance and exploit code is plastered all over internet mailing lists (sure, small circles of hackers may have been exploiting this bug for years, but a small circle of hackers is a far different problem than the sea of script kiddies who dont even know how to use unix, but will then have access to the exploit). exploit code should not spawn a shell and give full access to the machine. if exploit coders would only release exploits that write(1, "hello world".. the root compromises out there would drop by 99% guaranteed. exploit code should be an EXAMPLE to prove that a bug is exploitable, not an instant ticket to root access on thousands of hosts for people who barely know how to use a computer. i could care less about computer security aside from the fact that i would like access to as many hosts as possible. i make these points because many so-called hackers out there think they're fighting for some golden cause by releasing potent exploit code, or mailing stupid advisories to bugtraq to claim their fame before even notifying the coders of the application in question.
From owner-bugtraq () netspace org Fri Feb 19 11:15:53 1999 Received: from netspace.org ([128.148.157.6]:21552 "EHLO netspace.org"
ident: "TIMEDOUT2") by brimstone.netspace.org with ESMTP id <83714-1442>; Fri, 19 Feb 1999 13:40:21 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release
1.8d) with
spool id 992502 for BUGTRAQ () NETSPACE ORG; Fri, 19 Feb 1999
18:32:26
+0000 Approved-By: aleph1 () UNDERGROUND ORG Received: from resentment.infonexus.com
(zagzagel () resentment infonexus com
[207.171.209.38]) by netspace.org (8.8.7/8.8.7) with SMTP id
TAA30837
for <bugtraq () netspace org>; Thu, 18 Feb 1999 19:47:52 -0500 Received: (qmail 1802 invoked by uid 1000); 19 Feb 1999 00:46:17 -0000 X-Mailer: ELM [version 2.4 PL25] Content-Type: text Message-ID: <19990219004617.24816.qmail () resentment infonexus com> Date: Thu, 18 Feb 1999 16:46:17 -0800 Reply-To: route () RESENTMENT INFONEXUS COM Sender: Bugtraq List <BUGTRAQ () NETSPACE ORG> From: route () RESENTMENT INFONEXUS COM Subject: Re: [HERT] Advisory #002 Buffer overflow in lsof X-To: spaf () CS PURDUE EDU To: BUGTRAQ () NETSPACE ORG In-Reply-To: <199902181724.MAA15115 () dorsai cs purdue edu> from "Gene
Spafford"
at Feb 18, 99 12:24:52 pm [Gene Spafford wrote] | | People who publish bugs/exploits that are not being actively
exploited
| *before* giving the vendor a chance to fix the flaws are clearly | grandstanding. They're part of the problem -- not the solution. | Who is to say the vulnerability in question was NOT being exploited prior to release? Odds are it was. Bugtraq is a full-diclosure
list.
The `problem` as you succinctly put it is in *non-disclosure*.
While
it is still questionable whether or not the original posters found
the bug
themselves (the advisory lacked any technical detail) calling them
part of
the problem is a misfire of your disdain (attacking them on the
content
of the advisory --or lack thereof-- is a much better call). The
problem,
in this case, would be the malevolent individual(s) breaking into
your
machine exploiting this bug (before or after it was disclosed). Don't shoot the messenger. -- I live a world of paradox... My willingness to destroy is your chance
for
improvement, my hate is your faith -- my failure is your victory, a
victory
that won't last.
______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
Current thread:
- Re: [HERT] Advisory #002 Buffer overflow in lsof, (continued)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Lee Brotzman (Feb 22)
- NcFTPd remote buffer overflow Julien Nadeau (Feb 23)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Alan Cox (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Alex Shnitman (Feb 20)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Wichert Akkerman (Feb 21)
- Possible DOS attack in the .nu domain service Shane Wegner (Feb 20)
- Severe Security Hole in ARCserve NT agents (fwd) Weld Pond (Feb 21)
- Administrivia Aleph One (Feb 22)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Friedrichs, Oliver (Feb 18)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Eric Stevens (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof johann sebastian bach (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof der Mouse (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Zhodiac (Feb 21)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Ronny Cook (Feb 21)