Full Disclosure mailing list archives
Re: Re: Second critical mremap() bug found in all Linux kernels
From: "Gregory A. Gilliss" <ggilliss () netpublishing com>
Date: Wed, 18 Feb 2004 08:01:00 -0800
Paul, It's "full disclosure" for God's sake. WTF is this "proper grace period" crap? Who decides what constitutes a "proper grace period"? You? Me? The vendors? There's a hole. Here's how you test/exploit the hole. The script k1dd13z have it now. Fix it quick. Don't wait! Full disclosure. Not necessarily "responsible" disclosure, but hey, the vendors released the code with the hole in it. Was *that* responsible? I mean, what are we talking about here, security or some kind of standards body that decides who gets what info? You may object to my position. How can a responsible security professional advocate this, you ask? Simply because I recognize that the vendors will not fix security holes unless they are forced to by expediency. Security is a revenue drain, and unless there is a viable threat security remains a very low priority on organizations' list of things to do today. The release of the PoC code or exploit into the wild creates the viable threat that results in vendors getting off their collective asses and doing the work to patch the hole. If the vendors would do more than adequate testing in the first place the damned hole would have been found and fixed before the product shipped. Instead people like you and I and Christophe Devine perform free security auditing for the vendors. Full Disclosure. Read the list charter. It's about putting it out there regardless of the consequences, because information should be free and vendors don't give a shit unless there's some fire being held to their feet. G On or about 2004.02.18 15:52:15 +0000, Paul Starzetz (ihaquer () isec pl) said:
please do not post any exploit code(s) before a proper grace period.
-- Gregory A. Gilliss, CISSP E-mail: greg () gilliss com Computer Security WWW: http://www.gilliss.com/greg/ PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Second critical mremap() bug found in all Linux kernels Paul Starzetz (Feb 18)
- Re: Second critical mremap() bug found in all Linux kernels Daniel Lorch (Feb 18)
- Re: Second critical mremap() bug found in all Linux kernels Dan Yefimov (Feb 19)
- <Possible follow-ups>
- Re: Second critical mremap() bug found in all Linux kernels Christophe Devine (Feb 18)
- Re: Re: Second critical mremap() bug found in all Linux kernels Daniel Husand (Feb 18)
- Re: Re: Second critical mremap() bug found in all Linux kernels Daniel Lorch (Feb 18)
- Re: Re: Second critical mremap() bug found in all Linux kernels Daniel Husand (Feb 18)
- Re: Re: Second critical mremap() bug found in all Linux kernels Paul Starzetz (Feb 18)
- Re: Re: Second critical mremap() bug found in all Linux kernels Christophe Devine (Feb 18)
- Re: Re: Second critical mremap() bug found in all Linux kernels Gregory A. Gilliss (Feb 18)
- Re: Re: Second critical mremap() bug found in all Linux kernels i.t Consulting (Feb 19)
- Re: Re: Second critical mremap() bug found in all Linux kernels Michael Graham (Feb 18)
- Re: Re: Second critical mremap() bug found in all Linux kernels Diego Calleja (Feb 18)
- RE: Re: Second critical mremap() bug found in all Linux kernels Replugge[ROD] (Feb 18)
- RE: Re: Second critical mremap() bug found in all Linux kernels Chris Anley (Feb 18)
- RE: Re: Second critical mremap() bug found in all Linux kernels Replugge[ROD] (Feb 18)
- RE: Re: Second critical mremap() bug found in all Linux kernels Paul Starzetz (Feb 19)
- RE: Re: Second critical mremap() bug found in all Linux kernels Geo. (Feb 19)
- Re: Re: Second critical mremap() bug found in all Linux kernels Dave Howe (Feb 19)
- Re: Re: Second critical mremap() bug found in all Linux kernels Paul Schmehl (Feb 19)