OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Alert: Cart32 secret password backdoor (CISADV000427)
From: rain forest puppy (rfpWIRETRIP.NET)
Date: Tue May 02 2000 - 17:16:41 CDT

Fashionably late...

> What I think is irresponsible is that the level of detail in the
> original Cerberus advisory was so great that any 'script kiddie' could
> cut and paste them and cause a great deal of damage.

Funny.

I was recently chatting with a close friend of mine. It seems that her
client needed to actually see demonstrated, before their eyes, the
Netscape admin server authentication credential buffer overflow, before
they believed it was a problem (worth immediately fixing).

I dealt with the same mindset with my dvwssr.dll...people need to see a
working exploit before they confirm it's "really a problem worth dealing
with".

Sure, it brings up the question of is this right? Do we fix problems, or
exploits?

But never-the-less, I know just as many "good guys" that need to be walked
through the process before they can/will fix it, as I know "bad guys" who
will take advantage of the processs.

But no one seems to think of that side of life.

- rain forest puppy

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net