lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030226060012.GA23330@verge.net.au>
From: horms at verge.net.au (Horms)
Subject: Re: Terminal Emulator Security Issues

On Tue, Feb 25, 2003 at 08:07:08AM -0600, H D Moore wrote:
> On Monday 24 February 2003 08:09 pm, Michael Jennings wrote:
> > I'm not sure what "vendor coordination" was done, but I know I was
> > never contacted.  Just FYI.
> 
> The vendor coordination was done through the vendor-sec mailing list with 
> about a three-week head start prior to disclosure. There really weren't 
> many true "bugs" found, just about everything covered was implemented 
> deliberately and could be found in the documentation of the app. There 
> had already been a number of debates on the exploitability of these 
> features, so this paper was more of a FAQ than any sort of advisory.  It 
> wasn't my intention to catch anyone off-guard on this, just to bring 
> these issues back into the limelight for a while and see if other people 
> had a similar take on them.

I would suggest that vendor coordination that doesn't involve
contacting the authors is a specious process. Surely the authors
themselves would be useful allies in exploring the full consequences of
and resolving security problems. After all they probably know the code
at least as well as anyone else.

-- 
Horms

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ