[9660] in bugtraq
Re: [HERT] Advisory #002 Buffer overflow in lsof
daemon@ATHENA.MIT.EDU (route@RESENTMENT.INFONEXUS.COM)
Fri Feb 19 14:11:18 1999
Date: Thu, 18 Feb 1999 16:46:17 -0800
Reply-To: route@RESENTMENT.INFONEXUS.COM
From: route@RESENTMENT.INFONEXUS.COM
X-To: spaf@CS.PURDUE.EDU
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199902181724.MAA15115@dorsai.cs.purdue.edu> from "Gene Spafford"
at Feb 18, 99 12:24:52 pm
[Gene Spafford wrote]
|
| People who publish bugs/exploits that are not being actively exploited
| *before* giving the vendor a chance to fix the flaws are clearly
| grandstanding. They're part of the problem -- not the solution.
|
Who is to say the vulnerability in question was NOT being exploited
prior to release? Odds are it was. Bugtraq is a full-diclosure list.
The `problem` as you succinctly put it is in *non-disclosure*. While
it is still questionable whether or not the original posters found the bug
themselves (the advisory lacked any technical detail) calling them part of
the problem is a misfire of your disdain (attacking them on the content
of the advisory --or lack thereof-- is a much better call). The problem,
in this case, would be the malevolent individual(s) breaking into your
machine exploiting this bug (before or after it was disclosed).
Don't shoot the messenger.
--
I live a world of paradox... My willingness to destroy is your chance for
improvement, my hate is your faith -- my failure is your victory, a victory
that won't last.
