OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: gobbleshushmail.com
Date: Thu Apr 11 2002 - 15:47:07 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    It was brought to GOBBLES attention that some other yahoo had published advisory on NTOP bug a month or so ago. In an email to GOBBLES from yet another yahoo, GOBBLES was insulted over the advisory.

    GOBBLES discovered the vulnerability in early December. GOBBLES never made it public for various reasons.

    GOBBLES Security recently learned that somehow a copy of the GOBBLES private exploit had fallen into the hands of someone who shouldn't have it. GOBBLES was wary that of this person going and publishing their own advisory on it, as if they had found it themselves. This is why GOBBLES hurried up and had an advisory written on it and published.

    GOBBLES is not a reader of the securityfocus.com mailing lists. This is why GOBBLES did not see previous advisory on bug come through.

    Before sending advisory off to lists, GOBBLES did download the LATEST STABLE VERSION of ntop. It was still vulnerable. Thus GOBBLES assumed that it was still "undiscovered" and issued advisory on it.

    Why any developer would leave a bug in the LATEST STABLE after being informed about it, and only have the development version of sources patched is beyond GOBBLES. It is not best practice to run development software in production environment. If developer knew of bug, should have released security update into latest stable.

    Record should be clear though, that GOBBLES did find bug in December and was successful in exploiting it in the wild.

    This all GOBBLES have to say on subject matter.

    GOBBLES
    GOBBLEShushmail.com

    Hush provide the worlds most secure, easy to use online applications - which solution is right for you?
    HushMail Secure Email http://www.hushmail.com/
    HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/
    Hush Business - security for your Business http://www.hush.com/
    Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/

    Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople

    -----BEGIN PGP SIGNATURE-----
    Version: Hush 2.1
    Note: This signature can be verified at https://www.hushtools.com

    wlwEARECABwFAjy192kVHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAPKvEA
    nj/pvrAyCSG23bZnoDJGk6Rom+TCAKCF70e4gy1uaPsws6qkAaNemH2rrg==
    =V2Cv
    -----END PGP SIGNATURE-----