Disorganization campaign

[Matt Conover <shok () dataforce net>]

It appears that there is an intentional effort to give out false and
misleading information to confuse people. Consider that in the last two
weeks alone, there has been a fake snmp exploit from zen (which he says he
didn't send), a fake (or really old) w00w00 exploit, fake TESO cowboy
exploit, and several different rumors of vulnerabilities in apache and
php. It's hard to know what's accurate and what isn't. In some cases
(i.e., the fake zen snmp exploit), it is actually cause harm to the person
running the exploit. I think that was the point. It would appear the
intention is to confuse hackers and script kiddies so that they cannot
tell the difference between what is and isn't real. This will obviously
slow efforts in harvesting new exploits, because a hacker or script kiddie
would have to sort through which new exploits are and aren't real. I find
this part of the campaign to be somewhat honorable. However, I think
another part of the campaign is to make the sources of security
information (i.e., BugTraq and Vuln-Dev) untrustable, and that I disagree
with. Security advisories have their purposes. They help legitimate users
and administrators. I suppose it is a trade off between confusing those
that you don't want getting accurate information and those you do.

I think the likely instigators are the anti.security.is people with too
much time on their hands. So, until they get jobs or girlfriends, I would
take the posting here with a grain of salt. I would avoid running any
exploits posted to this list and distrust any alleged vulnerabilities
without verification from the vendor. If you really wanted to be
altruistic, don't throw flames on the fire--stop distributing exploits
you haven't verified.