Re: Potential hole in Ettercap 0.6.2

From: Jonathan Bloomquist (bocasolutions@yahoo.com)
Date: 12/04/01 

Date: Tue, 4 Dec 2001 14:22:45 -0800 (PST)
From: Jonathan Bloomquist <bocasolutions@yahoo.com>
To: Michal Zalewski <lcamtuf@coredump.cx>

--- Michal Zalewski <lcamtuf@coredump.cx> wrote:
> On Tue, 4 Dec 2001, Blue Boar wrote:
>
> > Goobles sent another post to vuln-dev today, which
> was rejected due to
> > personal attacks in their note.
 
--snip--

> I hate to say so, but maybe it is time to ignore
> him? Instead of
> forwarding posts or excerpts or notification about
> yet another
> vulnerability in a discontinued line of scientific
> calculators,
> command-line buffer overflow / format string bug in
> a program that is not
> supposed to be setuid, claims that a failure to log
> authentication failure
> is a "remote root exploit", or an advisory on data
> leak as revelant to the
> security of your system as disclosing your system
> time or username by
> Sendmail in mail headers? I am not saying we should
> ignore valuable
> research if it does not conform to some "style
> guidelines", or that we
> should reject such very minor (and often unverified)
> bug reports if
> described in an acceptable manner, but if it does
> not have any value and
> lacks style, it is just sad.

I think the guidelines are pretty well outlined in the
FAQ:

/*

Please follow the below guidelines on what kind of
information should be posted to the VULN-DEV list:

"I think I've found a new hole.."
"Here's a script to exploit the hole.."
"I can verify that it dumps core on my machine, too"
"Here's what I see in the debugger.."
"This is how I figured it out"

Basically, we want to facilitate people being able to
verify and take advantage of holes. The word "hole" is
used deliberately, and it refers to a bug that has a
potential security impact. You may very well find a
buffer overflow in a program, but if it's never used
in a security context (SETUID, part of a CGI script,
etc..) then it's probably not appropriate for the
list. If you're not sure if it applies or not, go
ahead and post it. If it's not security related, then
either the moderator will stop it or the list members
will point it out.

*/

Personal attacks are pretty clearly off-topic and if
the continuing spirit of GOBBLES revelations seems to
be tongue-in-cheek, well I say flush the troll.

__________________________________________________
Do You Yahoo!?
Buy the perfect holiday gifts at Yahoo! Shopping.
http://shopping.yahoo.com

Relevant Pages

  • Re: Network Security
    ... In one of my first jobs, ... We closed the security hole ... >still needed to know who was the perpetrator, ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Back Doors (was: EXCP with a DEB)
    ... The first thing to do upon finding a security hole is to notify the vendor. ... IBM will generally understand the hole, and fix it within a reasonable time. ... Said someone else might use the security hole maliciously, ... Secrecy is only beneficial to security in limited circumstances, and certainly not with respect to vulnerability or reliability information. ...
    (bit.listserv.ibm-main)
  • Re: Security Audit
    ... Subject: Security Audit ... that if you're conducting a "blind" external pen test, ... only addressing one hole on one server. ... at the patch levels on each one. ...
    (Pen-Test)
  • Hawking Technologies HAR11A router considered insecure
    ... http://www.hawkingtech.com/images/productlg/HAR11%20View.jpg) security ... hole by using telnetto connect to port 254 on it. ... will find an undocumented management interface which allows you to see ... The safest thing to do is to put the modem into 'bridge mode' and do ...
    (Bugtraq)