Re: Weakness in some linux versions of adduser.

[sod () command com inter net (Scriptors of DOOM)]

Whee!  An advisory!

> Subject: CIAC Bulletin H-10: HP-UX Security Vulnerabilities

Whee!  HP!

> VULNERABILITY  Exploit information involving these vulnerabilities have been
> ASSESSMENT:    made publicly available.

By?  BY?!?  Doesn't anybody make attribution anymore?

> CIAC wishes to acknowledge the contributions of AUSCERT for the
> information contained in this bulletin.

Oh, well, I guess they do make attribution.  Unfortunately, as we all must
know, AUSCERT didn't originate this information.  I guess they're just
thanking them because they could steal the AUSCERT Advisory and not have to
do any real work on their own.  Understandable -- they must be salaried.

> AUSCERT thanks Hewlett-Packard for their continued assistance and
> technical expertise essential for the production of this
> advisory.  AUSCERT also thanks Information Technology Services of
> the University of Southern Queensland for their assistance.

Hey, good call.  Thank the corporation that created the buggy software,
but don't thank the corporation that exposed the bug.  Hey, AUSCERT,
you're welcome, and I expect to see the letters S, O, and D, possibly
followed by the phrase "HP Bug of the Week" along with a URL, included
in your next advisory about the chfn overflow, please; we'd appreciate
these most modest of accommodations -- and a little "Thank you" to aleph1
couldn't hurt as well.

I'm also a bit curious, maybe someone at AUSCERT could reply to this
message and fill us in a little bit: exactly how did HP assist and provide
the technical expertise essential for the production of your little
advisory?  Did you call up the 633-3600 Support Line and actually get
technical support?  Impressive, if true.  HP Security staff refuses to
comment on security holes until a patch is available, yet you say they
provided _technical_expertise_.  (This message will, as usual, fly on over
to security-alert () hp com, if anyone there is interested in satiating my
curiousity, feel free to Reply to Sender.)

And so I suppose I should mention at this point that the chfn overflow sits
quietly, waiting for download, at http://command.com.inter.net/~sod/, where
one bug a week is the promise we keep, lest we be forced to party like
animals on the sixth ring of Hell, which frankly doesn't sound like a
terrible fate to me.

And let me not fail to mention that included in this week's diatribe,
honorary Homeboy Otto Sync shows us how to tickle the screws on HP's
OpenCall SCP platform used in the SS7 networks of some of our favorite
PSTN's -- now the Internet isn't the only thing that's vulnerable!

G'day


SPECIAL NOTE TO OUR FRIENDS AT HP:

Oh!  Mister Ay-cha Pee-ya, you-a donna how-a nize it is to-a see you
again-a.  We gonna gibba to you a special treat today-a, a discount-a.
A half-a price-a sale, butchew a butta comma quick, since we-a not be
around-a foreva.  I-a canna type like this-a no more.

Quick action will save your customers despair.  That will make them happy,
and their happiness will drive up your sales.  Your rising sales will make
you happy, and increase your income.  Your increased income will drive
your generosity, and you will give to those who have helped you along the
way.  Therefore:

*clears throat*

Please give us sex and/or money; we're not picky.  I think we all realized
a long time ago that love and respect were definitely out for mutants like
us, so now we're just looking for the sex and the money.  For the love of
God, man, we're insanely horny and filled with desire, it's the least you
can do!  We're begging here!

Please?