From owner-freebsd-security Mon Dec 16 14:13:34 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id OAA07691 for security-outgoing; Mon, 16 Dec 1996 14:13:34 -0800 (PST) Received: from rover.village.org (rover.village.org [204.144.255.49]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id OAA07672 for ; Mon, 16 Dec 1996 14:13:29 -0800 (PST) Received: from rover.village.org [127.0.0.1] by rover.village.org with esmtp (Exim 0.56 #1) id E0vZlHM-0005SA-00; Mon, 16 Dec 1996 15:12:56 -0700 To: Richard Wackerbarth Subject: Re: crontab security hole exploit Cc: Joakim Rastberg , security@freebsd.org In-reply-to: Your message of "Mon, 16 Dec 1996 09:14:25 CST." References: Date: Mon, 16 Dec 1996 15:12:55 -0700 From: Warner Losh Message-Id: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message Richard Wackerbarth writes: : An interesting perspective. : My attitude is that it is better to have obscurity than having the exploit : readily available to a wide audience. I realize that the truly good : crackers can figure it out for themself. But there are many "children" who : will try something when it is handed to them. IMHO, we should at least give : the upper hand to the sysops and, if possible, provide the fix before the : attack becomes widespread. Yes, but 99.999% of all the exploits that have been posted to this list first appeared in bugtraq or best-of-security. Nothing new is generally revealed. Now then, if I find a way to crack program xxx, then I should quietly send mail to the authors (or the BSD distributions) with this information. If I'm just passing along a well known hole, then everybody likely already knows about it. Besides, you can easily find lots of holes in lots of programs for the small price of downloading OpenBSD's CVS tree. They have fixed boatloads of these things. some of which have been merged into FreeBSD, but many of which have not. Warner