On Tue, Dec 02, 2003 at 01:12:40PM -0600, Alex Malinovich wrote:
| Thanks for the link. It certainly makes for interesting reading. Though
| I am somewhat concerned about the following bit from the message:
|
| "Please understand that we cannot give away the used exploit to random
| people who we don't know. So please don't ask us about it."
Huh, I missed this when reading the announcements. Anyways, I thought
they _did_ announce the exploit. Well, ok, they didn't give out a
script-kiddie to automate it, but they told right where the problem is
and it doesn't take a genius to figure out the details. (In fact, I
read a web page once that explained the details of how buffer
overflows on the C stack can be exploited. Very interesting.)
| I'm afraid I'm part of the group that just doesn't understand. This
| snippet reeks of security through obscurity for me. If the hole has been
| identified and, presumably, fixed, why not tell people about it?
The only thing I have to add, apart from noting above that the exploit
was divulged, is the other respondants have said "it isn't fixed" and
that perspective seems to fit with what you would expect.
-D
--
Pride goes before destruction,
a haughty spirit before a fall.
Proverbs 16:18
www: http://dman13.dyndns.org/~dman/ jabber: dman@dman13.dyndns.org
Attachment:
pgpxBKIus6bmt.pgp
Description: PGP signature