OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Alert: Cart32 secret password backdoor (CISADV000427)
From: John Howie (JHowieMSN.COM)
Date: Thu Apr 27 2000 - 11:50:13 CDT

Now for an appeal...

Please do NOT publish explicit details of how to exploit a security
vulnerability on this, or any other list. Many people will champion full
disclosure and freedom of speech but the harsh reality is that between
disclosure and action by a vendor or site that uses a vendor's product there
is a window of opportunity for exploitation. I am not talking about hackers,
but by script kiddies and wannabee hackers. For true security professionals
(and not those pretend profesionals) it creates nothing short of a nightmare
for us, and gives our profession a bad name, when some irresponsible
individual or group decides to expose in detail the steps required to break
into a site and to give examples of the range of privileged information that
can be obtained.

Apart from the professional argument there is the legal one. In some
jurisdictions merely making a vulnerability public along with details of how
to exploit it can render those responsible liable for prosecution if any
individual or company suffers harm or loss as a result, including the vendor
themselves. In certain cases reverse engineering and modifying a binary is
also illegal, depending on the shrink-wrap license.

I am not faulting Steve for publishing the advisory unmodified but I do wish
that those who submit them display some restraint.

John Howie

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net