Re: What is the point here?

• Previous message: PM Systems - Rick Woehler: "RE: What is the point here?"
• In reply to: Alun Jones: "What is the point here?"
• Next in thread: Mariusz Woloszyn: "Re: What is the point here?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 20 Jan 2004 09:54:56 +1100 (EST)
To: Alun Jones <alun@texis.com>

On Sun, 18 Jan 2004, Alun Jones wrote:

> I'd like to think that Bugtraq positions itself as something more than a
> semi-sneaky, behind-the-back-of-the-vendors rant group, or an assembly point
> for root-kit starters. Moderators, please stop accepting posts where the
> poster has stated specifically that they have not yet notified the vendor,

        The problem with this, of course, is that the security hole
exists, but the whitehats (ie. us) haven't been generally notified. I
agree that in a perfect world, everyone should notify the vendor first.
But a lot of people, if they got knocked back, and told to follow proper
procedure, would just say "Ah well, I don't have time for that". My
understanding of Bugtraq is that it is to provide timely information on
potential problems, and allow workarounds (ie. turn off javascript, or
whatever it happens to be).

> or where the only new thing that is contributed is a more insidious version
> of an existing exploit. And posters, please consider carefully before you

        I agree on this one -- if an exploit only functions under some
circumstances (OS specific is a good example), then making it function
under a wider range of circumstances is good because it allows people to
see that they're vulnerable where they might've thought otherwise. But
posting an exploit that drops a root shell -- well, I wonder whether these
shouldn't be rejected even if they are the first POC -- it shouldn't be
too hard for the POC writer to change their code so that it doesn't.

> post whether what you post is going to contribute to an increase in security
> or a decrease in security. If you cannot claim that your post will help to
> improve security, then do us a favour and take it somewhere else.

        I agree, although I think I'd phrase that as "enable the whitehats
to deal with their security situation better".

        Thanks,

-- 
Tim Nelson
Systems Administrator
Sunet Internet
Tel: +61 3 5241 1155
Fax: +61 3 5241 6187
Web: http://www.sunet.com.au/
Email: sysadmin@sunet.com.au

• Previous message: PM Systems - Rick Woehler: "RE: What is the point here?"
• In reply to: Alun Jones: "What is the point here?"
• Next in thread: Mariusz Woloszyn: "Re: What is the point here?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: WARNING - XP Service Pack 2 - DO NOT INSTALL ... As stated by another poster people who redirect responsibility for there own choices (yes you choose to purchase a computer and use it on the internet) should park it and turn off the engine. ... my Norton Internet Security and AntiVirus WERE ... > Sure, there are links to explanations, which then link ... (microsoft.public.windowsxp.general) Re: this is trial email ... > Do you have a question regarding security or are you ... > wasting people's time reading this? ... The poster can't be bothered to search on "test" to find what test ... (microsoft.public.security) Re: New IT Certification Forum (CISCO, Microsoft, Networks+, Suns, etc) ... The Poster Formerly Known as Kline Sphere wrote in ... >>Freakishly smart guy when it comes to security... ... (microsoft.public.cert.exam.mcse) Replay ... The above poster is correct... ... don't worry about the older version... ... If you are stuck in 5, there might be some other security ... (microsoft.public.security)