tag:blogger.com,1999:blog-37798047.post5525692972962936259..comments2024-01-16T05:48:33.523-05:00Comments on Errata Security: Trivial remote Solaris 0day, disable telnet now.David Maynorhttp://www.blogger.com/profile/09921229607193067441noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-37798047.post-74669110447942120512007-02-13T12:48:00.000-05:002007-02-13T12:48:00.000-05:00Oh no! Someone released INFORMATION! Now the inter...Oh no! Someone released INFORMATION! Now the internet is going to collapse! Silence him before all this INFORMATION leaks out in to the opens!Jordan T-Hhttps://www.blogger.com/profile/03208277592040978133noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-24356164053976719682007-02-12T22:41:00.000-05:002007-02-12T22:41:00.000-05:00The person who released that exploit was right to ...The person who released that exploit was right to do so.<BR/>It's such a simple exploit that it shouldn't have been there in the first place.<BR/><BR/>If was given to Sun first and they released a patch then it would have the same impact.<BR/><BR/>Sun already had their chance to fix them problem when they developed the software, releasing the exploit to the wild gets the users of the software to put more pressure on developers to develop secure code.Jesstahttps://www.blogger.com/profile/06837651109419168637noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-22624564101288173642007-02-12T16:46:00.000-05:002007-02-12T16:46:00.000-05:00We didn't disclose it. It was posted by another pe...We didn't disclose it. It was posted by another person to the full-disclosure mailing list. We were warning people this information is public and to disable telnet.David Maynorhttps://www.blogger.com/profile/09921229607193067441noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-59777821074889229492007-02-12T16:42:00.000-05:002007-02-12T16:42:00.000-05:00You're not a criminal, but don't be a dick -- thro...You're not a criminal, but don't be a dick -- throw the vendor a frickin' bone over here. No attempt was made to make contact and keep this secret before blowing it out there? Criminal? No. Irresponsible? Yes.Sethhttps://www.blogger.com/profile/09418031894033307224noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-10168675849339777632007-02-11T06:15:00.000-05:002007-02-11T06:15:00.000-05:00my gosh, such humility! thank you kingcope for th...my gosh, such humility! thank you kingcope for this wonderful 0-day exploit!!@#!<BR/><BR/>it's not the disclosure that is important here, however. it's the message. kcope was definitely trying to say something when he made the subject line <B>"0day was the case that they gave me"</B> on the full-disclosure mailing-list. this is one of those <B>classically good times for full-disclosure</B> without notifying the vendor beforehand.<BR/><BR/>in my opinion, kcope was trying to tell the vulnerability research community that he thinks the samy indictment was too harsh. in other words, "the charges were incorrectly filed by the prosecution because of cultural differences". it's something akin to <B>the punishment does not fit the crime</B>, but suggests more of a <A HREF="http://www.boston.com/news/local/articles/2007/02/01/marketing_gambit_exposes_a_wide_generation_gap" REL="nofollow"/>.<BR/><BR/>if you didn't catch the reference, Snoop Dogg has a song/video/short-film/soundtrack called <B>Murder Was the Case</B> [that they gave me]. assuming that i understand <A HREF="http://www.hollywoodreporter.com/hr/imdb/reviews/article_display.jsp?rid=607858" REL="nofollow">this article</A> correctly, it appears that Snoop Dogg and Dr. Dre made the movie in response to what was acceptable by the media circa 1994. if you're black and carry a gun - that makes you evil and a murderer - according to the moral majority. Snoop was being charged with murder (IRL) at the time, and pleaded self-defense. His movie-short tried to convey that everyone is a victim when gunplay is a part of everyday life.<BR/><BR/>it also appears that kcope and samy released their 0days in response to what is acceptable by the security incident response community. if you're a hacker and release a 0day - that makes you evil and a computer-criminal - according to today's moral majority. kcope's vulnerability disclosure is trying to convey that everyone is a victim when <B>mickey-mouse security-bypasses</B> are so prevalent.drehttps://www.blogger.com/profile/17414510788948258195noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-4181229502941468662007-02-11T02:52:00.000-05:002007-02-11T02:52:00.000-05:00It is pretty much the same. It amazes me this bug ...It is pretty much the same. It amazes me this bug went unseen for this long.David Maynorhttps://www.blogger.com/profile/09921229607193067441noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-53570737863344463902007-02-11T02:47:00.000-05:002007-02-11T02:47:00.000-05:00Isn't this nearly identical to the aix/linux rlogi...Isn't this nearly identical to the aix/linux rlogin -froot bug from years past (apart from not working for root)? Amazing.Anonymoushttps://www.blogger.com/profile/10231087514931386092noreply@blogger.com