Re: Duplicate List Messages [I guess there's a serious majordomo bug...]

[ericm () MicroUnity com (Eric Murray)]

Graham Toal wrote:
> Hahaha!  Isn't that just like the thing - the owner of a 'full disclosure'
> list resorts to security by obscurity when it's *his* machine that's
> vulnerable.
>
> Wish I hadn't wasted my money phoning the States to warn you about
> it last night.  Excuse me while I sign up with CERT's mailing list
> again, they'll probably tell me more :-(


If you'd think about it for a moment, it makes sense.

1. the bugtraq list has a lot of hackers on it.
        Posting a hole to it gives it a very wide distribution.

2. there's a list specifically for the users of the
        afflicted package, actually there's two lists.  More of the people
        who use majordomo are presumably on that list than the bugtraq list.
        Preumably there's fewer hackers on it; mailing list sofware
        isn't all that interesting.

3. info about the hole was posted to one of the majordomo lists.
        So most (many?) of the sites that run it would already know.

and finally
4. the owner of the machine that bugtraq runs on hadn't patched the hole yet.

I don't blame Scott for wanting to wait a few hours.  It'd be pretty
damn altruistic to post detailed instructions on how to break
into your own machine before you've even figured out a fix.
If you have figured out a fix, you'd want to test it before you
post it, eh?  Otherwise if you get it wrong a lot of people
who've applied it without understanding it and checking it will
be mightily pissed.


--
     ericm         ericm () microunity com