Dave Hayes <dave @
# Ok, I can play too.
# "Note that Firewalls isn't an appropriate place to discuss this stuff;
# I'm merely doing this for those who are interested."
Let's quote exactly what I said:
Note that Firewalls isn't an appropriate place to discuss this stuff;
I'm merely forwarding a pointer to the information for anybody who is
# Brent, what gives? You seem to be reasonable in person. Granted I'm new,
# and granted the flames about sendmail bugs have been going on for a while.
# But posting several "this is inappropriate" messages, and then turning around
# with a disclamer and posting more inappropriate messages is inexcusably
I don't think posting pointers to information or to discussions going
on in other forums is inappropriate.
What I meant by the disclaimer above was "Here's something many of you
may be interested in, but it's only marginally related to Firewalls,
so I don't think it's appropriate to discuss the issues on Firewalls."
My alternative was to not forward the message, and be accused of
suppressing information (and you can bet that _somebody_ would have
accused me of that).
If the originator had posted the message directly to Firewalls, and
I'd responded with something like "that's interesting, but I don't
think it's relevant to the discussion here", would you be reacting the
# I realize that your job also relies on the secrecy of computer security
# related information, just as CERT's does, and that you are on their side.
# There's no shame in that.
What gives you the idea my job depends on secrecy? I suppose it does,
in that I'm bound to keep the particular configurations of my
customers "secret", but isn't that pretty much the same as keeping
your root password "secret"?
The reason I haven't been telling everyone about how to exploit all
the various bugs is that I don't _KNOW_ how to exploit all the various
bugs. I know that the bugs exist, and that they are exploitable, and
that there are steps you can take to guard against them. But in
general I don't know the particular details of the exploitation; nor
do I have enough interest in them to devote the time to working them out.
# But are you really willing to demonstrate a double standard like this,
# as the moderator of a mailing list?
I don't moderate the list. If I moderated the list, none of this
would have ever come up; I would have killed these threads about 100
Brent Chapman Great Circle Associates
COM 1057 West Dana Street
+1 415 962 0841 Mountain View, CA 94041