From owner-freebsd-security Wed Feb 5 22:45:07 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id WAA06668 for security-outgoing; Wed, 5 Feb 1997 22:45:07 -0800 (PST) Received: from narcissus.ml.org (root@brosenga.Pitzer.edu [134.173.120.201]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id WAA06624 for ; Wed, 5 Feb 1997 22:45:02 -0800 (PST) Received: (from ben@localhost) by narcissus.ml.org (8.7.5/8.7.3) id WAA03783; Wed, 5 Feb 1997 22:44:59 -0800 (PST) Date: Wed, 5 Feb 1997 22:44:59 -0800 (PST) From: Stranger Bone To: Karl Denninger cc: "Sean J. Schluntz" , freebsd-security@freebsd.org, karl@Mcs.Net Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE In-Reply-To: <199702060116.TAA21953@Jupiter.Mcs.Net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Wed, 5 Feb 1997, Karl Denninger wrote: > > > > > I AM PART OF THE SOLUTION. > > > > > And yes, I WILL submit a pr on this as soon as I can find a few hours to > > > do the fix, verify it, and make world to test. At the same time I post > > > it to the committers I'll post it publically, and 24 hours later I post > > > the exploit which takes advantage of the problem. > > > > This is being part of the solution? Telling the world how to hack the systems > > of people who don't watch the lists or don't have enough time to patch a > > network of systems? > > > > 24 hours is not enough time for people to get the patch implemented. You > > would be personally sentencing people and their business to death by doing > > this. > > > > Would you like it if you were sick for two days and came back to find your > > network toast because someone pulled a stunt like that? > > > > -Sean > > ---------------------------------------------------------------------- > > Sean J. Schluntz > > Uh, excuse me, but the EXPLOIT has been in ACTIVE use for *TWO MONTHS* now. > > Its *NOT* new. It is being *ACTIVELY* used by the hacker contingent. > Therefore, hiding *ANYTHING* at this point serves no purpose. > > How can I possibly "hurt" things at this point... Don't be ridiculous. There's a huge difference between not hiding something and shouting it from the rooftops. Just because some people have an exploit doesn't mean everyone does. I resent your playing games with *my* security just to satisfy your self-image as the Security Avenger. I'm not saying that's necessarily your motive, but it sure looks that way. Be careful before you let any genies out of bottles. They're hard to stuff back in, and that applies to lost credibility as much as it does to lost security. > -- > -- > Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity > http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service > | 99 Analog numbers, 77 ISDN, Web servers $75/mo > Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ > Fax: [+1 773 248-9865] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal > Ben "You have your mind on computers, it seems."