Date: Fri, 17 May 1996 18:27:17 -0500 (CDT) From: "Matthew N. Dodd" <winter@jurai.net> To: "Kevin J. Duling" <kduling@natasha.scccc.com> Cc: freebsd-security@freebsd.org Subject: Re: very bad Message-ID: <Pine.BSI.3.93.960517181900.7734A-100000@sasami> In-Reply-To: <199605171621.KAA15772@natasha.scccc.com>
index | next in thread | previous in thread | raw e-mail
On Fri, 17 May 1996, Kevin J. Duling wrote: > What might be a better solution is to announce that "There is a problem" > then provide the fix...but don't illustrate the problem. That way everyone > is immediately notified of the problem and a fix for it, but you don't have > a list of instructions for how to crack in. > Personally, I prefer having the instructions, but it's not a good idea... Sorry, if a problem is to be taken seriously then it must present um... 'clear and present danger'. I saw the exploit and went "sh*t! this is bad." I had all my machines fixed a minute later and then went poking around and crashed my test box trying out the exploit. If you get the whole of the problem out, and FORCE it to be a problem then you won't have to worry about people brushing it off. If they get burned, then they have only themselves to blame for not taking the problem seriously and fixing it. I'm not worried about any of my users exploiting these bugs, as I've no qualms about feeding them to legal and letting them play with those guys. Full disclosure, with exploits please. | Matthew N. Dodd | winter@jurai.net | http://www.jurai.net/~winter | | Technical Manager | mdodd@intersurf.net | http://www.intersurf.net | | InterSurf Online | "Welcome to the net Sir, would you like a handbasket?"|help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.3.93.960517181900.7734A-100000>