Re: Terminal Emulator Security Issues

[Horms <horms () verge net au>]

On Tue, Feb 25, 2003 at 08:07:08AM -0600, H D Moore wrote:
> On Monday 24 February 2003 08:09 pm, Michael Jennings wrote:
> > I'm not sure what "vendor coordination" was done, but I know I was
> > never contacted.  Just FYI.
>
> The vendor coordination was done through the vendor-sec mailing list with 
> about a three-week head start prior to disclosure. There really weren't 
> many true "bugs" found, just about everything covered was implemented 
> deliberately and could be found in the documentation of the app. There 
> had already been a number of debates on the exploitability of these 
> features, so this paper was more of a FAQ than any sort of advisory.  It 
> wasn't my intention to catch anyone off-guard on this, just to bring 
> these issues back into the limelight for a while and see if other people 
> had a similar take on them.

I would suggest that vendor coordination that doesn't involve
contacting the authors is a specious process. Surely the authors
themselves would be useful allies in exploring the full consequences of
and resolving security problems. After all they probably know the code
at least as well as anyone else.

-- 
Horms
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html