lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: pauls at (Schmehl, Paul L)
Subject: No Subject

> -----Original Message-----
> From: [] 
> Sent: Monday, October 20, 2003 3:44 PM
> To:
> Cc:
> Subject: [Full-Disclosure] No Subject
> I think you misinterpreted my argumentation. In my eyes
> anyone who is not independently capable of verifying
> the exploitability, or atleast devising the theory
> behind possible exploitation, of the ossh nul overflow
> is a "script kiddie". As you so aptly put it.
So there's the 1% l33ts like you, and then there's the 99% of the human
populace that has other things to do besides squirrel around with code.
I get it.

> Now if you're somewhat at home in heap mismanagement bugs
> you should know that this issue, provided you have a
> favourable heap layout (hooray for memory leaks), 
> is exploitable on atleast 
> Linux. That's as far as I'll go. Remember apache? One
> man's DoS is another man's remote. For god's sake even
> ISS believes the issue to be exploitable. And Duke may
> be alot of things, stupid he is not. (ok so maybe that's
> up for debate, hi Mark!) As far as the PAM issue goes,
> that's fucking trivial.

I learned in high school (which was a long long time ago) that there are
those that say they can do something, and then there are those who don't
say anything but do a lot.  You appear to fall into the first category
based on your ramblings.
> Now at the end of the day it's neither my duty nor my desire
> to release anything. I don't owe you shit. And I'm not about
> to post something that took alot of research just to make a 
> moot point. Any admin who did not patch their servers using 
> "oh it's just a DoS" as justification should be fired on the 
> spot. Again, and this is getting tiresome, a bug was 
> recognised to be a security issue. Security issues get a 
> priority to patch. It'd be a different story if it wasn't 
> published as being a security issue. 
Once again, another clueless code monkey who "admins" a network of one.
I'm not impressed.

Paul Schmehl (
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member 

Powered by blists - more mailing lists