just what is full disclosure...?

*Hobbit* (hobbit@bronze.lcs.mit.edu)
Wed, 30 Nov 1994 02:45:36 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Pat Myrto: "Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994"
Previous message: Pat Myrto: "Re: In reply to comments about new policy"

To me, an exploit script isn't *really* full disclosure until I pick it
apart and see what it's doing, and *then* I understand what the real
problem is.  I wound up rewriting "mailrace" a couple of different [and
more effective] ways as a result of this sort of study.  "passwdrace"
was even more interesting.

Thus, a description of why the bug is a bug would be *better* in my mind,
with pointers to lines in the source code that are in error, and leaving
the 'sploit as an exercise.  Publishing the canned script is an interesting
approach, but has the disadvantages that a> any idiot can run it and b>
alone, it doesn't really explain the problem.

Of course, nothing prevents someone else from performing the exercise and
distributing *that* as a canned 'sploit to clueless people, but that at
least shifts the irresponsibility from, say, 8lgm to that someone else...

_H*

Next message: Pat Myrto: "Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994"
Previous message: Pat Myrto: "Re: In reply to comments about new policy"