Full Disclosure mailing list archives

RE: No Subject (re: openssh exploit code?)

From: "Generated by a PseudoRandom Number Generator" <randomusername () hushmail com>
Date: Tue, 21 Oct 2003 14:43:53 -0700

On <somedate> Montana said...

I agree with Mitch.  Lets say you get an advisory that
a severe thunderstorm may be coming your way.  Do you
wait until the wind and rain are blowing inside your
house to close the windows and doors.

<snip>

This is one of the silliest analogies I have ever heard. If you are seriously
suggesting that Mitch (or anyone on full-disclosure, bugtraq, etc) is
the equivalent of the <Insert local/national weather service>, you are
crazy. 

If you insist on having an analogous situation, pretend you live in a
town with 10,000 old guys all sitting on porch rocking chairs, and every
day, a couple of them yell that the storm of the century is coming. Some
times, they overhear one-and-other, and the cries of "Storm, Storm" get
louder. How can you tell who to believe, maybe one old guy has a doppler
radar in his outhouse, all of a sudden, he should be believed, but if
he doesn't tell you why he thinks a storm is a brewin', you're going
to spend every day cowering in your house, afraid. Really I think that's
the point, and the value of full-disclosure to the community, you don't
have to trust some old guy with a trick knee, you can judge for yourself
whether something is possible. (Note: when I say "full-disclosure, I
am not advocating publishing all exploit details, but the information
that was presented by lcamtuf certainly went a whole lot further to disclosing
one possible exploitation path, and allowed people to better assess the
risk and then allow them to judge the importance of this patch, over,
 say, the Microsoft Exchange patch. )

And btw, this is one of silliest, most annoying, on-charter discussions
I have ever seen on this list. (actually, it's one of the few on-charter
discussions that I have ever seen on the list), I can't believe I contributed
to it. 



Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

No Subject (re: openssh exploit code?), (continued)
- No Subject (re: openssh exploit code?) mitch_hurrison (Oct 21)
  - Re: No Subject (re: openssh exploit code?) Dan Wilder (Oct 21)
  - Re: No Subject (re: openssh exploit code?) Helmut Springer (Oct 23)
- RE: No Subject (re: openssh exploit code?) Robert Ahnemann (Oct 21)
- RE: No Subject (re: openssh exploit code?) Robert Ahnemann (Oct 21)
- RE: No Subject (re: openssh exploit code?) Robert Ahnemann (Oct 21)
  - RE: No Subject (re: openssh exploit code?) Montana Tenor (Oct 21)
    - RE: No Subject (re: openssh exploit code?) V.O. (Oct 21)
  - Re: No Subject (re: openssh exploit code?) Kenneth R. van Wyk (Oct 21)
- RE: No Subject (re: openssh exploit code?) Schmehl, Paul L (Oct 21)
- RE: No Subject (re: openssh exploit code?) Generated by a PseudoRandom Number Generator (Oct 21)