|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
just what is full disclosure...?
*Hobbit* (hobbit
bronze.lcs.mit.edu)Wed, 30 Nov 1994 02:45:36 -0500
- Messages sorted by: [ date ][ thread ][ subject ][ author ]
- Next message: Pat Myrto: "Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994"
- Previous message: Pat Myrto: "Re: In reply to comments about new policy"
To me, an exploit script isn't *really* full disclosure until I pick it apart and see what it's doing, and *then* I understand what the real problem is. I wound up rewriting "mailrace" a couple of different [and more effective] ways as a result of this sort of study. "passwdrace" was even more interesting. Thus, a description of why the bug is a bug would be *better* in my mind, with pointers to lines in the source code that are in error, and leaving the 'sploit as an exercise. Publishing the canned script is an interesting approach, but has the disadvantages that a> any idiot can run it and b> alone, it doesn't really explain the problem. Of course, nothing prevents someone else from performing the exercise and distributing *that* as a canned 'sploit to clueless people, but that at least shifts the irresponsibility from, say, 8lgm to that someone else... _H*
- Next message: Pat Myrto: "Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994"
- Previous message: Pat Myrto: "Re: In reply to comments about new policy"