| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 7 Jul 2005 17:02:40 -0700 From: Dragos Ruiu <dr@....net> To: bugtraq@...urityfocus.com Subject: Re: ICMP Vulnerabilities On Thursday, 7 July 2005 J. Oquendo wrote: > This isn't news news, I've been tinkering with something along > these lines since 1999 Well you may have known about the problem, but you didn't fix it. The news isn't the problem, it's the FIX. The fix which people haven't applied to their OS distributions yet. To reiterate: On Wednesday, 6 July 2005 Theo de Raadt wrote: > Please read the article. People saw the presentation at CanSecWest and had the same reaction. Oh that... it's an old problem. Well, it's not really if you look carefully. It's an important problem and it needs to be fixed. Maybe the right solution is to just release the kiddy-exploit-code and melt down a few big ISPs for a couple of days so people stop parroting "It's an old problem" and get down to fixing it. It seems to me that this perception problem is caused by skirting the issue and being oblique about how to explicitly use this attack to cause harm. People are ignoring the fix because they can't immediately see how to do the attack (it's somewhat subtle). Maybe what is needed is the Internet-Wide-Scale-DoS-HOWTO and people will finally apply the fix logic (which isn't that complicated as far as I can see). But echoing "this is an old problem" isn't helping to propagate the fix. So let's stop saying that. Vendors, please fix your broken OSes. cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Tokyo, Japan November 15/16 2005 http://pacsec.jp pgpkey http://dragos.com/ kyxpgp
Powered by blists - more mailing lists