From owner-freebsd-security  Fri May 17 16:27:31 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id QAA29140
          for security-outgoing; Fri, 17 May 1996 16:27:31 -0700 (PDT)
Received: from sasami.jurai.net (root@sasami.jurai.net [206.151.208.162])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id QAA29134
          for <freebsd-security@freebsd.org>; Fri, 17 May 1996 16:27:29 -0700 (PDT)
Received: from localhost (winter@localhost) by sasami.jurai.net (8.7.4/8.7.3) with SMTP id SAA09654; Fri, 17 May 1996 18:27:17 -0500 (CDT)
Date: Fri, 17 May 1996 18:27:17 -0500 (CDT)
From: "Matthew N. Dodd" <winter@jurai.net>
X-Sender: winter@sasami
To: "Kevin J. Duling" <kduling@natasha.scccc.com>
cc: freebsd-security@freebsd.org
Subject: Re: very bad
In-Reply-To: <199605171621.KAA15772@natasha.scccc.com>
Message-ID: <Pine.BSI.3.93.960517181900.7734A-100000@sasami>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

On Fri, 17 May 1996, Kevin J. Duling wrote:
> What might be a better solution is to announce that "There is a problem"
> then provide the fix...but don't illustrate the problem.  That way everyone
> is immediately notified of the problem and a fix for it, but you don't have
> a list of instructions for how to crack in.
> Personally, I prefer having the instructions, but it's not a good idea...

Sorry, if a problem is to be taken seriously then it must present um...
'clear and present danger'.  I saw the exploit and went "sh*t! this 
is bad."  I had all my machines fixed a minute later and then went
poking around and crashed my test box trying out the exploit.

If you get the whole of the problem out, and FORCE it to be a problem
then you won't have to worry about people brushing it off.  If they 
get burned, then they have only themselves to blame for not taking the 
problem seriously and fixing it.

I'm not worried about any of my users exploiting these bugs, as I've no
qualms about feeding them to legal and letting them play with those guys.

Full disclosure, with exploits please.

| Matthew N. Dodd   | winter@jurai.net    | http://www.jurai.net/~winter    |
| Technical Manager | mdodd@intersurf.net | http://www.intersurf.net        |
| InterSurf Online  | "Welcome to the net Sir, would you like a handbasket?"|