From owner-freebsd-security  Thu Jun 27  1:37:15 2002
Delivered-To: freebsd-security@freebsd.org
Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42])
	by hub.freebsd.org (Postfix) with ESMTP id A9EBA37B406
	for <freebsd-security@FreeBSD.ORG>; Thu, 27 Jun 2002 01:37:10 -0700 (PDT)
Received: (from avalon@localhost)
	by caligula.anu.edu.au (8.9.3/8.9.3) id SAA17907;
	Thu, 27 Jun 2002 18:37:05 +1000 (EST)
From: Darren Reed <avalon@coombs.anu.edu.au>
Message-Id: <200206270837.SAA17907@caligula.anu.edu.au>
Subject: Re: Wow (or, How Theo should have handled it)
To: deraadt@cvs.openbsd.org (Theo de Raadt)
Date: Thu, 27 Jun 2002 18:37:05 +1000 (Australia/ACT)
Cc: freebsd-security@FreeBSD.ORG
In-Reply-To: <200206270743.g5R7hswj029148@cvs.openbsd.org> from "Theo de Raadt" at Jun 27, 2002 01:43:54 AM
X-Mailer: ELM [version 2.5 PL1]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

In some mail from Theo de Raadt, sie said:
[...]
> I still do not believe ISS that this thing was wild.  If it was, we
> would already have seen it on BUGTRAQ, because wild does not mean that
> someone has an exploit.  Wild means it is being distributed in an out
> of control fashion, and people are starting to use it.  As of the
> posting time -- it was not wild.  I estimate that in more than half of
> the cases, as soon as a bug goes wild, it gets posted because whoever
> wrote it wants their credit.
[...]

This discrepency is, I believe, just a misunderstanding of what they
term wild vs what you term wild.

You're using the term "wild" as in "wildfire" whereas they might mean
"wild" as in it's out there, somewhere, perhaps hiding, lurking, not
in your control, not everwhere but waiting to jump you when you least
expect it - more like a wild cat.

I think you're wrong on the exploits being published - there's current
evidence that strongly suggests things can be kept quiet, "in the wild",
for months before they end up on bugtraq.  Neils might be able to tell
you more about that but not I.

Current thinking is that if there's any trend in hackerdom then it
is away from publishing exploits.  Why ?  Well, it defeats their own
ability to break into stuff, doesn't it ?

I also have some reason to believe that the likes of ISS would have
more of an inclination than you about "what's out there".  This isn't
to insult you but rather they have dedicated resources who's paid job
it is to find this stuff out (xforce).  Choose what you wish to believe,
but be careful about interpreting what others say, without asking them
first, if it is not clear.

Darren

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message