> > On Tue, 13 Dec 1994, jsz wrote: > > > CERT consists of beaurocrats; 8lgm of posers -- what's a difference, > > after all? > > 8lgm does not pretend to be god's gift to the net. > True: but IMHO, posting scripts that would add a "+ +" to /.rhosts -- or add a root entry into passwd file are useless; It'd make me respect Neil & Karl, if they didn't post such scripts, and instead would give detailed information about the vulnerability they found. I do respect the amount of work they did already though. > > > > At least you can't use CERT's advisory to crack root on a site, and wipe > > out important files; 8lgm's advisories were, and in fact are being used > > for those purposes as well. > > I am sure this has been said by doozens of people but: > If you restrict exploits to the script hackers then only the script hackers > will know what they are. In turn, organizations like CERT will not know > what they are until some time after the release; when the effects can be > exaimed second hand. > > Pick your posion. > My position is pretty clear: posting a breakin code on public lists causes nothing but chaos, and needless panic. I vote no for full disclosure, I vote for free information -- but without breakin scripts that give you a root prompt. I am interested in statistics how many times 8lgm scripts were used in malicious purposes. Maybe CERT might tell us? B-) Consider it another fruitless noise on bugtraq.