I agree with this assessment. Sometimes I get a good laugh over the
posts that say things like; "my server at <insert IP address here> is
vulnerable to <insert exploit of the week here>, and I don't know what
to do. Anyone can read these posts, they are archived not only on
SecurityFocus but on a half dozen other sites as well. I really don't
think this has to do with full disclosure, trust me, I am probably one
of the biggest full disclosure flag wavers around these days but more to
do with common sense.

I have posted an incident (not my own but a clients) to this list in the
past, with a hushmail account from my home PC dialed up to a free net
provider and did not sign the post. The information we all share on
this list is very, very valuable, but because it is an open forum you
need to be cautious as to what identifying information you leave behind.
And don't take this as me saying that we need a closed forum, I am
convinced that closed forums do not work.

> -----Original Message-----
> From: cambriaowt.com [mailto:cambriaowt.com]
> Sent: Thursday, November 01, 2001 2:29 PM
> To: Dan Ellis; incidentssecurityfocus.com
> Cc: H C
> Subject: Re: Posting to Incidents list, was: Re: Help with Nimda.E?
>
>
> The way I interpreted HC's post, he was not referring to the
> perennial full-disclosure debate. He was pointing out the
> risks of disclosing one's *own* potential vulnerabilities in
> a public forum.
>
> I think it's a valid point and one that inexperienced people
> may not fully consider before posting.
>
> You certainly do not want to post a message to this forum
> from the affected system saying "I just discovered that my
> port 5678 gives a root shell to anyone - what should I do".
>
> For this reason many people post from email accounts that
> cannot easily be correlated to the system they are
> discussing. Also, logs showing actual IP addresses are often
> "sanitized". That is, the actual IP address of the
> potentially vulnerable system is replaced with something like
> "x.x.x.x".
>
> I think HC's message was a call for good judgment on the part
> of those who post here - a sensible recommendation that one
> not expose exploitable details of one's own system to a
> potentially malicious audience.
>
> Best regards,
>
> Greg McCann
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]