Full Disclosure mailing list archives
RE: No Subject (re: openssh exploit code?)
From: mitch_hurrison () ziplip com
Date: Mon, 20 Oct 2003 16:18:05 -0700 (PDT)
Hi Paul,
So there's the 1% l33ts like you, and then there's the 99% of the human populace that has other things to do besides squirrel around with code. I get it.
How does my "squirreling around with code" all day bare relevance to the points I put forward? If anything you as an admin should be happy noone has been foolish enough to release an exploit en-masse no? I chose this life and I chose to commit myself to the research I do. I work hard at it and I don't think releasing exploit code is a justifiable action in this day and age. Then you come wobbling out of the woodwork to muster up some obscure insult about me being a "code monkey"? Very classy Paul. We are discussing wether or not exploit code should be put forward in a case were a bug has been clearly identified as a security issue and the possible ramifications of this issue have been made public. I find your comments rather childish and certainly not fitting an "Adjunct Information Security Officer" of a large University.
I learned in high school (which was a long long time ago) that there are those that say they can do something, and then there are those who don't say anything but do a lot. You appear to fall into the first category based on your ramblings.
I'm glad you learned something in High School Paul. Good for you. Your actions on this list suggest nothing other than you being a brazen loudmouth village idiot of sorts. Maybe you should stick to your High School rhetoric and leave argumentation to the grown ups?
Once again, another clueless code monkey who "admins" a network of one. I'm not impressed.
You seem to be holding a rather large grudge against the very people who provide you with your livelyhood. You're not impressed? Who's supposed to be impressed here. We're debating an issue that is very relevant to this list and to future similar events. I don't see how your kindergarten antics are appropriate here. With regards, Mitch
-----Original Message----- From: Schmehl, Paul L [mailto:pauls () utdallas edu] Sent: Monday, October 20, 2003, 3:37 PM Cc: full-disclosure () lists netsys com Subject: RE: [Full-disclosure] No Subject-----Original Message----- From: mitch_hurrison () ziplip com [mailto:mitch_hurrison () ziplip com] Sent: Monday, October 20, 2003 3:44 PM To: frank () knobbe us Cc: full-disclosure () lists netsys com Subject: [Full-disclosure] No Subject I think you misinterpreted my argumentation. In my eyes anyone who is not independently capable of verifying the exploitability, or atleast devising the theory behind possible exploitation, of the ossh nul overflow is a "script kiddie". As you so aptly put it.So there's the 1% l33ts like you, and then there's the 99% of the human populace that has other things to do besides squirrel around with code. I get it.Now if you're somewhat at home in heap mismanagement bugs you should know that this issue, provided you have a favourable heap layout (hooray for memory leaks), is exploitable on atleast Linux. That's as far as I'll go. Remember apache? One man's DoS is another man's remote. For god's sake even ISS believes the issue to be exploitable. And Duke may be alot of things, stupid he is not. (ok so maybe that's up for debate, hi Mark!) As far as the PAM issue goes, that's fucking trivial.I learned in high school (which was a long long time ago) that there are those that say they can do something, and then there are those who don't say anything but do a lot. You appear to fall into the first category based on your ramblings.Now at the end of the day it's neither my duty nor my desire to release anything. I don't owe you shit. And I'm not about to post something that took alot of research just to make a moot point. Any admin who did not patch their servers using "oh it's just a DoS" as justification should be fired on the spot. Again, and this is getting tiresome, a bug was recognised to be a security issue. Security issues get a priority to patch. It'd be a different story if it wasn't published as being a security issue.Once again, another clueless code monkey who "admins" a network of one. I'm not impressed. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: No Subject (re: openssh exploit code?) mitch_hurrison (Oct 20)
- Re: No Subject (re: openssh exploit code?) Gregory A. Gilliss (Oct 20)
- Re: No Subject (re: openssh exploit code?) Paul Schmehl (Oct 20)
- Re: No Subject (re: openssh exploit code?) security snot (Oct 21)
- Re: No Subject (re: openssh exploit code?) John Sage (Oct 21)
- Re: No Subject (re: openssh exploit code?) madsaxon (Oct 21)
- Re: No Subject (re: openssh exploit code?) Paul Schmehl (Oct 20)
- Re: No Subject (re: openssh exploit code?) Gregory A. Gilliss (Oct 20)
- <Possible follow-ups>
- Re: No Subject (re: openssh exploit code?) mitch_hurrison (Oct 21)
- Re: No Subject (re: openssh exploit code?) Anders B Jansson (Oct 21)
- Re: No Subject (re: openssh exploit code?) S . f . Stover (Oct 21)
- Re: No Subject (re: openssh exploit code?) Jason Coombs (Oct 21)
- Re: No Subject (re: openssh exploit code?) morning_wood (Oct 21)