Graham Toal wrote: > > Hahaha! Isn't that just like the thing - the owner of a 'full disclosure' > list resorts to security by obscurity when it's *his* machine that's > vulnerable. > > Wish I hadn't wasted my money phoning the States to warn you about > it last night. Excuse me while I sign up with CERT's mailing list > again, they'll probably tell me more :-( If you'd think about it for a moment, it makes sense. 1. the bugtraq list has a lot of hackers on it. Posting a hole to it gives it a very wide distribution. 2. there's a list specifically for the users of the afflicted package, actually there's two lists. More of the people who use majordomo are presumably on that list than the bugtraq list. Preumably there's fewer hackers on it; mailing list sofware isn't all that interesting. 3. info about the hole was posted to one of the majordomo lists. So most (many?) of the sites that run it would already know. and finally 4. the owner of the machine that bugtraq runs on hadn't patched the hole yet. I don't blame Scott for wanting to wait a few hours. It'd be pretty damn altruistic to post detailed instructions on how to break into your own machine before you've even figured out a fix. If you have figured out a fix, you'd want to test it before you post it, eh? Otherwise if you get it wrong a lot of people who've applied it without understanding it and checking it will be mightily pissed. -- ericm ericm@microunity.com