> Please refrain from disclosing bug particulars on an email list.
> All we need is to have hackers get the inside poop on a hole faster
> than we can patch it.
> I know you are trying to understand the vulnerability, but please consider
> the (potential) audience when asking such questions.
I totally disagree... This attitude has infested computer security for
long enough. There was an excellent article on this in some DEC rag
about a year ago. Being secretive about security holes doesn't help
anyone but the hackers and spies that already know the holes.
Once the affected product has been patched and the patch is widely
available, there's little reason to keep secretive about the bug.
A little light is what's needed to kill off the remaining infection.
It is also because of this secretive attitude that legit computer
security circles and publications are so far behind their hacker
equivalents. I appreciate getting CERT advisories, but I find 2600 at
least as informative, and I've considered taking lessons in Dutch just
so I can read some of the better publications.
Besides, like most people on this list, I'm not worried about casual
hackers most of whom break into networks just to see if they can. The
real threat to our network comes from professional corporate spies.
These people probably already know the details of these bugs and
posting them to this list will only serve to enlighten us poor
sysadmins who havn't the time or resources to spend uncovering them
on our own.
Please post; Inquiring minds want to know!