On 20 Oct 03 03:28:02AM mitch_hurrison@ziplip.com[mitch_hurrison@ziplip.com] wrote: : That's a fine example of the whitehat leech mentality you're : displaying there. Why do you insist on being so dependent on : other people's findings? Not really - just interested in seeing what other people had found. I don't think that qualifies as "dependence". BTW, I thought "whitehat" implied non-disclosure, which isn't really the direction I'm coming from. : You're supposed to be some sort of : "security" expert no? I've never made such a claim - on this list or any other. : Well here's an idea, how about you go : research the bug yourself and base any conclusions on exploitability : on that. Instead of begging the people who put in the work : to disclose their research. What is the added value of anyone : disclosing an exploit to you? Actually, I *am* researching the bug myself. I didn't realize that asking the community for assistance in that research was such a problem. My most insincere apologies to you. : A) You know the bug exists. True. : B) You know it's probably a good idea to patch it. Already done. However, the more I know about the bug itself the better I can learn to assess the patch, as well as further issues. : So I don't see what the big deal is with it being exploitable : or not. Ok - so why bother flaming me? : The fact that you don't have the skills to independently research and exploit the ossh nul overflow has no bearing on the : fact that you should patch your openssh daemons. I don't really think you are really in a position to assess my skills. Regardless, I do believe that this is precisely the point. I want to learn more about how this exploit works. If there is working code out there that I can learn from, why not ask? If people don't want to give up their code - that is perfectly fine with me. : So unless you : plan on owning a bunch of boxen mr. stackheap (!?) That is definitely not my intent - the people who know me realize this. The people who don't can hold on to their code. Again, this is OK with me. : I don't see : why the likes of you would need any confirmation or even working : exploit code. Disclosing an exploit would at this stage only : cause alot of senseless hacking. I frankly don't give a shit whether you see benefit in this or not. This is a full-disclosure list. If I want to ask others for help in this area, I feel that is my right. Conversely, I understand and respect the right of everyone else out there to either help me or not. : But to put your mind at ease. Yes it is exploitable. Ahhh - thank you so much. I will sleep better now knowing that you have eased my pains of doubt. : Will you : get an exploit from me? Hell no. Fine - all you had to do then was shut the hell up. If you have exploit code and don't want to give it to me - THAT IS FUCKING FINE WITH ME. : And I doubt that anyone who : put in the research time would just give up their work like : that. Again, this is their right, and I understand it. I'm glad that you took it upon yourself to speak for the list though. : There is absolutely no justification for the public disclosure : of an exploit for this issue. It's been recognised as a security : issue and people have been advised to patch. Who are you to make such a decision? : Again, putting an : exploit in the hands of the greedy and clueless is not something : I would want to be responsible for. Neither would I - but then again we seem to be in a bit of disagreement as to whether or not I am "greedy and clueless". <shrug> You've never met me, nor spoken to me, that I know of, so how can you assess? Besides, it's not like other exploit code hasn't made it to this list. It is FD after all. : And I doubt any sensible : person would release an exploit for this issue. Be it only because : successfull exploitation of the bug requires abuse of a lesser : but still unknown issue which ensures a favorable heap layout. : : I seriously hope noone falls for the trap of releasing exploit code : to "prove" a point. Ignorance is bliss. If you can't write the : exploit, you don't need the exploit. End of story. I disagree - not everyone is a coding god like you evidently. There are those of us in the security field with competencies in other areas. This does not diminish a desire or need to learn new things. I'm a bit stumped here - I thought FD was FD. But now it's only FD when you want it to be? : With regards, Yeah, right. 8-) ~S -- aka Dolph Longhorn attica@stackheap.org GPG Key ID: 0xF8F859D0 http://pgp.mit.edu:11371/pks/lookup?search=0xF8F859D0&op=index "There is no such thing as right and wrong, there's just popular opinion." -Jeffrey Goines
Attachment:
pgp00090.pgp
Description: PGP signature