[499] in bugtraq
Re: Security through obscurity, etc.
daemon@ATHENA.MIT.EDU (jsz)
Tue Dec 13 17:12:33 1994
From: jsz@ramon.bgu.ac.il (jsz)
To: jason@dickory.sdsu.edu (Jason Matthews)
Date: Tue, 13 Dec 94 19:28:47 IST
Cc: elfchief@lupine.org, bugtraq@fc.net
In-Reply-To: <Pine.3.87.9412122253.A4734-0100000@dickory>; from "Jason Matthews" at Dec 12, 94 10:47 pm
>
> On Tue, 13 Dec 1994, jsz wrote:
>
> > CERT consists of beaurocrats; 8lgm of posers -- what's a difference,
> > after all?
>
> 8lgm does not pretend to be god's gift to the net.
>
True: but IMHO, posting scripts that would add a "+ +" to /.rhosts --
or add a root entry into passwd file are useless; It'd make me respect
Neil & Karl, if they didn't post such scripts, and instead would give
detailed information about the vulnerability they found. I do respect
the amount of work they did already though.
> >
> > At least you can't use CERT's advisory to crack root on a site, and wipe
> > out important files; 8lgm's advisories were, and in fact are being used
> > for those purposes as well.
>
> I am sure this has been said by doozens of people but:
> If you restrict exploits to the script hackers then only the script hackers
> will know what they are. In turn, organizations like CERT will not know
> what they are until some time after the release; when the effects can be
> exaimed second hand.
>
> Pick your posion.
>
My position is pretty clear: posting a breakin code on public lists causes
nothing but chaos, and needless panic. I vote no for full disclosure,
I vote for free information -- but without breakin scripts that give you
a root prompt. I am interested in statistics how many times 8lgm scripts
were used in malicious purposes. Maybe CERT might tell us? B-)
Consider it another fruitless noise on bugtraq.
