lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: mitch_hurrison at ziplip.com (mitch_hurrison@...lip.com)
Subject: No Subject (re: openssh exploit code?)

Hi Paul,

> So there's the 1% l33ts like you, and then there's the 99% of the 
> human populace that has other things to do besides squirrel 
> around with code. I get it.

How does my "squirreling around with code" all day bare relevance
to the points I put forward? If anything you as an admin should
be happy noone has been foolish enough to release an exploit
en-masse no? I chose this life and I chose to commit myself
to the research I do. I work hard at it and I don't think releasing
exploit code is a justifiable action in this day and age. Then
you come wobbling out of the woodwork to muster up some obscure
insult about me being a "code monkey"? Very classy Paul. 

We are discussing wether or not exploit code should be put forward
in a case were a bug has been clearly identified as a security
issue and the possible ramifications of this issue have been
made public. I find your comments rather childish and certainly
not fitting an "Adjunct Information Security Officer" of a large
University. 

> I learned in high school (which was a long long time ago) that
> there are those that say they can do something, and then there 
> are those who don't say anything but do a lot.  You appear to 
> fall into the first category based on your ramblings.

I'm glad you learned something in High School Paul. Good for you.
Your actions on this list suggest nothing other than you
being a brazen loudmouth village idiot of sorts. Maybe you
should stick to your High School rhetoric and leave argumentation
to the grown ups?

> Once again, another clueless code monkey who "admins" a 
> network of one. I'm not impressed.

You seem to be holding a rather large grudge against the very
people who provide you with your livelyhood. You're not impressed?
Who's supposed to be impressed here. We're debating an issue that
is very relevant to this list and to future similar events. I
don't see how your kindergarten antics are appropriate here.

With regards,
Mitch

> -----Original Message-----
> From: Schmehl, Paul L [mailto:pauls@...allas.edu]
> Sent: Monday, October 20, 2003, 3:37 PM
> Cc: full-disclosure@...ts.netsys.com
> Subject: RE: [Full-Disclosure] No Subject
> 
> > -----Original Message-----
> > From: mitch_hurrison@...lip.com [mailto:mitch_hurrison@...lip.com] 
> > Sent: Monday, October 20, 2003 3:44 PM
> > To: frank@...bbe.us
> > Cc: full-disclosure@...ts.netsys.com
> > Subject: [Full-Disclosure] No Subject
> > 
> > I think you misinterpreted my argumentation. In my eyes
> > anyone who is not independently capable of verifying
> > the exploitability, or atleast devising the theory
> > behind possible exploitation, of the ossh nul overflow
> > is a "script kiddie". As you so aptly put it.
> > 
> So there's the 1% l33ts like you, and then there's the 99% of the human
> populace that has other things to do besides squirrel around with code.
> I get it.
> 
> > Now if you're somewhat at home in heap mismanagement bugs
> > you should know that this issue, provided you have a
> > favourable heap layout (hooray for memory leaks), 
> > is exploitable on atleast 
> > Linux. That's as far as I'll go. Remember apache? One
> > man's DoS is another man's remote. For god's sake even
> > ISS believes the issue to be exploitable. And Duke may
> > be alot of things, stupid he is not. (ok so maybe that's
> > up for debate, hi Mark!) As far as the PAM issue goes,
> > that's fucking trivial.
> 
> I learned in high school (which was a long long time ago) that there are
> those that say they can do something, and then there are those who don't
> say anything but do a lot.  You appear to fall into the first category
> based on your ramblings.
> > 
> > Now at the end of the day it's neither my duty nor my desire
> > to release anything. I don't owe you shit. And I'm not about
> > to post something that took alot of research just to make a 
> > moot point. Any admin who did not patch their servers using 
> > "oh it's just a DoS" as justification should be fired on the 
> > spot. Again, and this is getting tiresome, a bug was 
> > recognised to be a security issue. Security issues get a 
> > priority to patch. It'd be a different story if it wasn't 
> > published as being a security issue. 
> > 
> Once again, another clueless code monkey who "admins" a network of one.
> I'm not impressed.
> 
> Paul Schmehl (pauls@...allas.edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/~pauls/ 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ