"In the previous message, Gene Spafford said..." > > On Mon, 28 Nov 1994 19:47:52 -0500 I wrote: > > Pat, > > > > In the spirit of your message: > > > > You've been skipping your Prozac again. Naughty, naughty! > > > > --spaf > > > > Part of the intergalactic conspiracy to keep widely known security information > > away from Pat. > > > Several people berated me for the above post, pointing out that I was > beginning to stoop to Pat's level of insulting behavior. However, Sigh. I stated I had no more to say publically on this, but I cannot let this go unanswered. It was addressed to to the list, AND cc'd to me. So please bear with me. I didn't start the blatant attacks intended ONLY to insult, Spaf. I didn't accuse you of using/needing chemicals, etc. (totally unrelated to the issue at hand, BTW). I *DID* respond with a similar remark about a rarified atmosphere, and double standards. But only after I saw that blatantly offensive post. > after 14 years on the net, I *still* find it difficult to ignore > slanderous rants directed at me. But if I had responded to the SO DO I. You got a few years on me, but not THAT many. And the post was not directed specifically at YOU. It was in RESPONSE to a post you made. It was directed at those who advocate secrecy, keeping info to a select few. If the shoe fits, well... > content of Pat's message, it would have somewhat dignifyed it. I > obviously should have ignored it, as most readers of this list > undoubtedly viewed Pat's insults and falsehoods for what they were > (those that didn't aren't worth worrying about). You have decreed quite a few people "aren't worth worrying about". I wonder how they feel about that? For what its worth, I received several messages, too. All complimenting me on my post and thanking me for saying what needed to be said. I honestly expected some flames, so I was surprised. It appears you essentially grabbed on a post which you did not approve of the tone, and used it as an excuse to dodge the issue, and fling some very nasty insults to someone who dared to speak planly, at least that is what it looked like to me. I am not a person for titles, and do not suffer those who expect to be treated in any kind of special manner solely because of some position, when they do not offer such treatment to others themselves. It smacks of a double standard, and I really do not have any patience with that, I have seen far too much destruction and hurt because of that sort of thing. I would appreciate if you pointed out the slander in my original post. I ask, because you are the only person who I am aware of who has regarded it slanderous. NOBODY, and I repeat - NOBODY that contacted me thought the post was at ALL out of place. I re-read it, and found nothing other than a lack of servile tones. I don't think servile tones are required in this society. We are not a society of lords and serfs - YET. > So, my apologies to everyone on bugtraq for that minor lapse in > professional behavior. Also, my thanks to all of you who wrote > personal mail to me about it, pro and con (but special thanks to those > of you offering humorous follow-ups). Spafford, if you point out the lines that are HONESTLY slanderous, and tell me how you considered them slanderous, I will PUBLICALLY apologize for them if a disinterested party agrees. But I really need to know HOW they are slanderous, at this point all I can apologize for is losing my temper. > ------------- > > As to this whole thread on disclosure, it maybe doesn't belong in > bugtraq, although bugtraq is about bugs and Unix security. There Of course it doesn't - but neither do posts of the sort as those from 8lgm. I don't recall the charter stating it was a non-disclosure list. I have stated many times what I felt was a good approach, and yet NOBODY has even tried it or even *discussed* it, its always been totally zero disclosure, or canned exploit scripts: I support a stepwise approach. Always have. And in a final full disclosure, one need not provide a ready-to-run script to convey adequate info for any kind of admin to figure things enough out so they can evaluate their own site and situation. What really pulled my chain especially about the 8lgm posts is the facts for binmail, there was no mention of the numerous fixes using mail_local - whether they were or were not vulnerable to the latest condition. THAT is one aspect that made it especially worthless. Many folks have long since replaced binmail, and are using mail_local, procmail, or similar. But they got no useful info out of those advisories, whatsoever. But given a choice between CERT-type postings and canned scripts, I will take the latter. At least they give me a CHANCE to fix things and check platforms not mentioned. Vendors take time measured in MONTHS. In the meantime, one is screwed. And that doesn't even address the non-vendor platforms, or heavily modified ones. Then when you came on and defended this CERT approach, I could see the dark bad old days coming back at lightspeed. You ask for proof, but have offered none. You state that 1, 2, or 3 cases do not prove anything. But can you prove that disclosure has, overall, made the problem worse? I feel the burden is on the person who wishes to go back to the mushroom mgmt procedure of handling security problems. Obviously you disagree. But to ask for something you yourself cannot (or will not) supply I feel is wrong. > really isn't another good forum for the discussion, however, and it is > directed at one of the precepts of bugtraq's charter. It is also > interesting to note how many people fail to understand the difference > between folklore and fact, between superstition and proof. Thats the problem - the effects of full vs no or nearly no disclosure are all just that - folklore - so its a bit of a red herring to even use that as an issue. So far, there has been nothing concrete to support EITHER side. In that situation, I feel (as do many others) the benefit of the doubt must go to free flow of information. This goes double for a hole that is discovered due to the activities of a cracker. One that has *NOT* been used for a breakin, but just discovered by an admin or tech working is an entirely different matter, as long as a cracker has never exploited it. But most of the destructive holes out there I bet are known because of a cracker's destructive work. > Many people want it stopped because they have no doubts about full > disclosure being the best thing to do. One cannot reason with belief > (they have different foundations). They may be right, they may be > wrong, but they don't want their beliefs challenged, so perhaps we > should let the thread die off (or maybe someone will create another > list?). But Spaf, you don't respond too well when your beliefs are challenged, either! > I've answered over 50 pieces of mail on this general topic in the last > few days. There's not much more to say, which is good, because my > fingers are getting quite tired and many of you have had enough! > Luckily, I'm headed out of town for a research meeting, so I can give > my keyboard a rest (so please don't write me for a while!) > > ------------- > > Let me recap some points that keep coming up. Many of these should be > obvious to people, but curiously aren't: > [ ... recap deleted ... ] Alas, the recap did not answer the orignal question posed. :-( > I also note that many people seem to think that I have lots of secret > vulnerability information, or that I get lots of exploit scripts. > (Maybe that explains why there are so many attempts to break into > machines here?) The truth is, people almost never report new bugs to > me, vendors and CERT don't share the ones they hear about, and I don't > keep secret any that I hear about -- they all get passed on to the > vendors. Furthermore, the only exploit scripts I recall seeing in the > last 18 months have come from bugtraq -- including all the ones we > have captured from clumsy crackers. (And please don't send me any to > make up for this! I have no use for exploit scripts, and I don't want > to have any around to tempt people; my research is into underlying > technology rather than hacking tools.) Well, people (and I) presume you do have info denied the rest of us, because one must realize you learned of all the holes you do know about from SOMEWHERE. It cannot be osmosis. Some can be due to your own efforts and experiments, but not all. Thats why its hard to believe you don't have access to info the rest of us are denied. > I've been asked to give a talk at SANS next year...I think I'll try to > do a paper on the pros and cons of disclosure. Of course, as a member > of the intergalactic conspiracy, we won't allow any of you to get a > copy. :-) Again - please specify where I stated anything about any conspiracy. The closest I came was suggesting that people were sitting on info for selfish reasons. That is hardly a conspiracy. Now who is slandering who? > Finis, > --spaf -- pat@rwing [If all fails, try: rwing!pat@eskimo.com] Pat Myrto - Seattle WA "No one has the right to destroy another person's belief by demanding empirical evidence." -- Ann Landers, nationally syndicated advice columnist and Director at Handgun Control Inc.