[Full-Disclosure] Re: Terminal Emulator Security Issues

From: Horms (horms@verge.net.au)
Date: 02/26/03

  • Next message: Roman Drahtmueller: "[Full-Disclosure] SuSE Security Announcement: openssl (SuSE-SA:2003:011)" 
    From: Horms <horms@verge.net.au>
To: H D Moore <termulation@digitaloffense.net>, vulnwatch@vulnwatch.org, bugtraq@securityfocus.com, full-disclosure@lists.netsys.com
Date: Wed, 26 Feb 2003 15:00:12 +0900

    On Tue, Feb 25, 2003 at 08:07:08AM -0600, H D Moore wrote:
    > On Monday 24 February 2003 08:09 pm, Michael Jennings wrote:
    > > I'm not sure what "vendor coordination" was done, but I know I was
    > > never contacted. Just FYI.
    >
    > The vendor coordination was done through the vendor-sec mailing list with
    > about a three-week head start prior to disclosure. There really weren't
    > many true "bugs" found, just about everything covered was implemented
    > deliberately and could be found in the documentation of the app. There
    > had already been a number of debates on the exploitability of these
    > features, so this paper was more of a FAQ than any sort of advisory. It
    > wasn't my intention to catch anyone off-guard on this, just to bring
    > these issues back into the limelight for a while and see if other people
    > had a similar take on them.

    I would suggest that vendor coordination that doesn't involve
    contacting the authors is a specious process. Surely the authors
    themselves would be useful allies in exploring the full consequences of
    and resolving security problems. After all they probably know the code
    at least as well as anyone else. 

    -- 
Horms
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html