Re: Security through obscurity, etc.

[jsz () ramon bgu ac il (jsz)]

> On Tue, 13 Dec 1994, jsz wrote:
>
> > CERT consists of beaurocrats; 8lgm of posers -- what's a difference, 
> > after all?
>
> 8lgm does not pretend to be god's gift to the net.

True: but IMHO, posting scripts that would add a "+ +" to /.rhosts --
or add a root entry into passwd file are useless; It'd make me respect
Neil & Karl, if they didn't post such scripts, and instead would give
detailed information about the vulnerability they found. I do respect
the amount of work they did already though.

> > At least you can't use CERT's advisory to crack root on a site, and wipe
> > out important files; 8lgm's advisories were, and in fact are being used
> > for those purposes as well.
>
> I am sure this has been said by doozens of people but:
> If you restrict exploits to the script hackers then only the script hackers
> will know what they are. In turn, organizations like CERT will not know 
> what they are until some time after the release; when the effects can be 
> exaimed second hand.
>
> Pick your posion.

My position is pretty clear: posting a breakin code on public lists causes
nothing but chaos, and needless panic. I vote no for full disclosure, 
I vote for free information -- but without breakin scripts that give you
a root prompt. I am interested in statistics how many times 8lgm scripts
were used in malicious purposes. Maybe CERT might tell us? B-)

Consider it another fruitless noise on bugtraq.