Bugtraq mailing list archives
Re: CERT, CIAC, etc. and unethical practices
From: clavin () iag net (Chris Lavin)
Date: Sun, 22 Dec 1996 12:17:04 -0500
Ok, Well we tried this recently with Sun! Sun in no uncertain terms told us OH WELL!...That comes right from the Manager of teh Kernel group Myron Kashima!...We have found a problem with Solaris X86 2.5.1. We could put together a lil 20 line C program that would cause the kernel to hard lock when a user opens a tcp socket to a machine that throwsa up a banner reply (This inclusdes Suns own Mail machine). Well anyway we went around with Sun for three months b4 we released the exploit to the newsgroups and on bugtraq. We have tried the diplomatic route IT DON'T WORK!..So maybe if a few people start to crash X86 systems Sun will do the right thing and fix the bug. Oh did I fail to mention that Sun would be willing to fix the bug if we BOUGHT a contract and paid them for their time?...Thanx =============================================================================== Chris Lavin <clavin () iag net> The Internet Access Group, Inc. 801 W.Highway 436 - Suite 2151, Altamonte Springs, FL. 32714 Voice:407-786-1145, Fax:407-682-7327 =============================================================================== On Sat, 21 Dec 1996, d wrote:
In light of the recent discussion that has taken place in regards to {CERT,CIAC,AUSCERT,HP,SGI,etc} and their lack of ethics when it comes to crediting other peoples research; I am happy to announce a LARGE company that just did the exact opposite!While I applaud lotus, and not to be a wet blanket or anything, I think that more companies would be more enthusiastic about acknowledging contributions of the people on these lists if they perceived us working with them, rather than against them. Posting code to a list & telling the world in no uncertain terms that you think that they are complete assholes and idiots is not the best way to make friends with them. If you don't want to be friendly with 'em, I don't care myself - it's a free world (at least in many places.) Just don't be too surprised when they say, essentially "fuck you" right back at ya by not giving you credit that you definitely deserve. One of the most effective things that I've seen (from working at cert and at a couple of unix vendors), that is, if you want some sort of credit, is to simply notify the vendor/developers/CERTs/whatever of the problem *before* posting it to the list. Give them a bit of time work out a fix, and *then* post the details. You might say that you don't know who to send things to or that they will just take too long to fix it and it's not worth your time, but I sometimes wonder how often people have even tried this approach lately - certainly I haven't seen much complaining lately about trying to talk to them *before* posting it on a list. There are often sympathetic ears at some of these companies, although it can be hard to find them (and perhaps if anyone ever does find one at any company it might be worth posting about it and telling the rest of us who to contact in the future). Again, I think it's great what lotus did, and I'm certainly all for places like the l0pht and yuri and sod and so on (just to name a few places) - it's obvious that there are a lot of bright and talented people out here. But I haven't seen much talent in the ol' PR dept. lately. Just some thoughts - -- d
Current thread:
- Re: CERT, CIAC, etc. and unethical practices d (Dec 21)
- Re: CERT, CIAC, etc. and unethical practices Chris Lavin (Dec 22)
- Re: CERT, CIAC, etc. and unethical practices Joshua Daymont (Dec 22)
- <Possible follow-ups>
- Re: CERT, CIAC, etc. and unethical practices Catherine Allen (Dec 22)