Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994

[rwing!pat () ole cdac com (Pat Myrto)]

"In the previous message, Gene Spafford said..."
> On Mon, 28 Nov 1994 19:47:52 -0500 I wrote:
> > Pat,
> >
> > In the spirit of your message:
> >
> > You've been skipping your Prozac again.  Naughty, naughty!
> >
> > --spaf
> >
> > Part of the intergalactic conspiracy to keep widely known security information 
> > away from Pat.
>
>
> Several people berated me for the above post, pointing out that I was
> beginning to stoop to Pat's level of insulting behavior.  However,

Sigh.  I stated I had no more to say publically on this, but I cannot
let this go unanswered.  It was addressed to to the list, AND cc'd to me.
So please bear with me.

I didn't start the blatant attacks intended ONLY to insult, Spaf.  I
didn't accuse you of using/needing chemicals, etc. (totally unrelated
to the issue at hand, BTW).  I *DID* respond with a similar remark about
a rarified atmosphere, and double standards.  But only after I saw that
blatantly offensive post.

> after 14 years on the net, I *still* find it difficult to ignore
> slanderous rants directed at me.  But if I had responded to the

SO DO I.  You got a few years on me, but not THAT many.  And the post
was not directed specifically at YOU.  It was in RESPONSE to a post
you made.  It was directed at those who advocate secrecy, keeping info
to a select few.  If the shoe fits, well...

> content of Pat's message, it would have somewhat dignifyed it.  I
> obviously should have ignored it, as most readers of this list
> undoubtedly viewed Pat's insults and falsehoods for what they were
> (those that didn't aren't worth worrying about).

You have decreed quite a few people "aren't worth worrying about".  I wonder
how they feel about that?

For what its worth, I received several messages, too.  All complimenting
me on my post and thanking me for saying what needed to be said.  I honestly
expected some flames, so I was surprised.

It appears you essentially grabbed on a post which you did not approve
of the tone, and used it as an excuse to dodge the issue, and fling some
very nasty insults to someone who dared to speak planly, at least that is
what it looked like to me.

I am not a person for titles, and do not suffer those who expect to be
treated in any kind of special manner solely because of some position,
when they do not offer such treatment to others themselves.  It smacks
of a double standard, and I really do not have any patience with that,
I have seen far too much destruction and hurt because of that sort of
thing.

I would appreciate if you pointed out the slander in my original post.
I ask, because you are the only person who I am aware of who has regarded
it slanderous.  NOBODY, and I repeat - NOBODY that contacted me thought
the post was at ALL out of place.  I re-read it, and found nothing other
than a lack of servile tones.  I don't think servile tones are required
in this society.  We are not a society of lords and serfs - YET.

> So, my apologies to everyone on bugtraq for that minor lapse in
> professional behavior.  Also, my thanks to all of you who wrote
> personal mail to me about it, pro and con (but special thanks to those
> of you offering humorous follow-ups).

Spafford, if you point out the lines that are HONESTLY slanderous, and
tell me how you considered them slanderous, I will PUBLICALLY apologize
for them if a disinterested party agrees.  But I really need to know
HOW they are slanderous, at this point all I can apologize for is losing
my temper.

> -------------
>
> As to this whole thread on disclosure, it maybe doesn't belong in
> bugtraq, although bugtraq is about bugs and Unix security.  There

Of course it doesn't - but neither do posts of the sort as those from
8lgm.  I don't recall the charter stating it was a non-disclosure list.
I have stated many times what I felt was a good approach, and yet NOBODY
has even tried it or even *discussed* it, its always been totally zero
disclosure, or canned exploit scripts:  I support a stepwise approach.
Always have.  And in a final full disclosure, one need not provide a
ready-to-run script to convey adequate info for any kind of admin to
figure things enough out so they can evaluate their own site and situation.
What really pulled my chain especially about the 8lgm posts is the facts
for binmail, there was no mention of the numerous fixes using mail_local
- whether they were or were not vulnerable to the latest condition.
THAT is one aspect that made it especially worthless.  Many folks have
long since replaced binmail, and are using mail_local, procmail, or
similar.  But they got no useful info out of those advisories, whatsoever.

But given a choice between CERT-type postings and canned scripts, I
will take the latter.  At least they give me a CHANCE to fix things
and check platforms not mentioned.  Vendors take time measured in
MONTHS.  In the meantime, one is screwed.  And that doesn't even
address the non-vendor platforms, or heavily modified ones.

Then when you came on and defended this CERT approach, I could see the
dark bad old days coming back at lightspeed.

You ask for proof, but have offered none.  You state that 1, 2, or 3
cases do not prove anything.  But can you prove that disclosure has,
overall, made the problem worse?  I feel the burden is on the person
who wishes to go back to the mushroom mgmt procedure of handling
security problems.  Obviously you disagree.  But to ask for something
you yourself cannot (or will not) supply I feel is wrong.

> really isn't another good forum for the discussion, however, and it is
> directed at one of the precepts of bugtraq's charter.  It is also
> interesting to note how many people fail to understand the difference
> between folklore and fact, between superstition and proof.

Thats the problem - the effects of full vs no or nearly no disclosure
are all just that - folklore - so its a bit of a red herring to even
use that as an issue.  So far, there has been nothing concrete  to
support EITHER side.  In that situation, I feel (as do many others)
the benefit of the doubt must go to free flow of information.

This goes double for a hole that is discovered due to the activities
of a cracker.  One that has *NOT* been used for a breakin, but just
discovered by an admin or tech working is an entirely different matter,
as long as a cracker has never exploited it.  But most of the destructive
holes out there I bet are known because of a cracker's destructive
work.

> Many people want it stopped because they have no doubts about full
> disclosure being the best thing to do.  One cannot reason with belief
> (they have different foundations). They may be right, they may be
> wrong, but they don't want their beliefs challenged, so perhaps we
> should let the thread die off (or maybe someone will create another
> list?).

But Spaf, you don't respond too well when your beliefs are challenged,
either!

> I've answered over 50 pieces of mail on this general topic in the last
> few days. There's not much more to say, which is good, because my
> fingers are getting quite tired and many of you have had enough!
> Luckily, I'm headed out of town for a research meeting, so I can give
> my keyboard a rest (so please don't write me for a while!)
>
> -------------
>
> Let me recap some points that keep coming up.  Many of these should be
> obvious to people, but curiously aren't:
> [ ... recap deleted ... ]

Alas, the recap did not answer the orignal question posed.  :-(

> I also note that many people seem to think that I have lots of secret
> vulnerability information, or that I get lots of exploit scripts.
> (Maybe that explains why there are so many attempts to break into
> machines here?)  The truth is, people almost never report new bugs to
> me, vendors and CERT don't share the ones they hear about, and I don't
> keep secret any that I hear about -- they all get passed on to the
> vendors.  Furthermore, the only exploit scripts I recall seeing in the
> last 18 months have come from bugtraq -- including all the ones we
> have captured from clumsy crackers.  (And please don't send me any to
> make up for this!  I have no use for exploit scripts, and I don't want
> to have any around to tempt people; my research is into underlying
> technology rather than hacking tools.)

Well, people (and I) presume you do have info denied the rest of us,
because one must realize you learned of all the holes you do know about
from SOMEWHERE.  It cannot be osmosis.  Some can be due to your own
efforts and experiments, but not all.

Thats why its hard to believe you don't have access to info the rest of
us are denied.

> I've been asked to give a talk at SANS next year...I think I'll try to
> do a paper on the pros and cons of disclosure.  Of course, as a member
> of the intergalactic conspiracy, we won't allow any of you to get a
> copy. :-)

Again - please specify where I stated anything about any conspiracy.
The closest I came was suggesting that people were sitting on info
for selfish reasons.  That is hardly a conspiracy.

Now who is slandering who?

> Finis,
> --spaf
-- 
pat@rwing  [If all fails, try:  rwing!pat () eskimo com]  Pat Myrto - Seattle WA
"No one has the right to destroy another person's belief by demanding
empirical evidence."  --   Ann Landers, nationally syndicated advice columnist
and Director at Handgun Control Inc.