[264] in bugtraq
Security through obscurity, etc.
daemon@ATHENA.MIT.EDU (That Whispering Wolf...)
Wed Nov 30 01:37:15 1994
Date: Tue, 29 Nov 1994 23:06:44 -0500
From: "That Whispering Wolf..." <elfchief@lupine.org>
To: bugtraq@fc.net
Hokay, my $.02, and I'll shut up so that maybe, just MAYBE, we can get
back to discussing bugs (My /dev/tcp question would be a GREAT one to
discuss. Any takers?)
On the side of people who would like security through obscurity, their
biggest complaint is invariably that as soon as 8lgm (or whoever) posts
how to break bug XXX, they immediately get many attacks on their systems,
etc. Okay, sounds fair.
On the side of people who like full disclosure (for the record, that
group includes myself), our biggest complaint about obscurity is that
not only do we not know what a bug is, but we have no way to check to see
if bug X exists on Y systems (especially true for those of us running
bastardized OSs). Add this to the fact that even if we don't know about
a bug, the underground DOES -- This is pretty much an undisputed fact.
I think there can be a happy median here. I think the BIGGEST complaint
overall with 8lgm (and I'll admit, even /I/ have grumbled a time or two)
is that 8lgm's messages (until recently) all contained 'plug and go'
exploit scripts that ANY moron could save to a file and execute -- This
is going a bit above and beyond the call of duty, IMHO -- Especially
considering that it's not always thouroughly clear by looking at the
exploit scripts what the bug really IS.
Why doesn't 8lgm, instead of posting exploit scripts, post DETAILED
KNOWLEDGE of the bug, including source snippets if they can, so that
those of us that are capable can diagnose our own systems, work around
bugs (etc), while the average joe-on-the-street doesn't just have a plug-
and-go attack on a system. Any hacker with the ability to turn bug details
into an exploit script probably already knows about the bugs anyhow.
Well, this is just my $.02. I think if 8lgm continues they way they're
going (with things like their SCO 'login' problem -- Which basically said "There's a bug, no fix and no workaround, so nyah"), I'd rather just see them
go away. I echo Pat's comments (I think that was Pat) about only needing
one CERT.
-WW
