Bugtraq mailing list archives

Re: Various resources

From: rwing!pat () ole cdac com (Pat Myrto)
Date: Fri, 30 Sep 94 14:56:36 PDT


"In the previous message, H Morrow Long said..."

I know this sounds naive and stupid to some/most
of you, but PLEASE enlighten me.  What is 8lgm?
Thanks in advance.
Tenna Sakai (tws () mrc com)


No, everyone has to be initially informed at some point in time.
Nobody was born with all this information... :-)

8lgm is (supposedly) a group of reformed hackers.  > > They post a

list of security holes along with script that demonstrate how to >
exploit them.

That is what I understand they are, too.  Whatever, they seem to perform
a needed service.  Without the information gleaned, I would have a lot
more unaddressed vulnerabilities, and worse, would not have the slightest
clue how to look for them.  One can get an idea of how cracker types
think and operate by examiningg some of the examples, so if one has
one's own machine (or appropraite permission), and some time, one can
look for and try other possibilities, and most important, be able to
TEST a fix that is supposed to be all the berries.  Not all fixes
work as well as claimed.

Until they showed up, one pretty much had to rely on CERT, etc., meaningful
information was kept to a tiny clique and hardly ever shared.  Talk
about a day late and a dollar short...  people were thinking they were
all safe and secure, then BAM! the bubble gets broken.  The crackers
are sitting there laughing while the 'lamers' are trying to figure out
what the hell happened...  One asks CERT, and they say "A vulnerability
exists".  MAYBE.  Some vendors may flat deny it, some will say "Its a bug.
Look for a fix in the NEXT RELEASE... due out next year..."

I am also convinced many cracker groups have someone who has access to
source, possibly from school or Daddy's job running some big site, and
who has nothing better to do than spend all day looking for possible
vulnerabilities and devise ways to exploit them...  Then exploit
instructions or scripts are passed around and literally everyone EXCEPT
the site admins and honest users knows about them...

My 2 cents worth...  No, I am not a fan of "security through obscurity"
or hiding the fact the holes exist and information needed to check ones
system out and fix the thing.

-- 
pat@rwing  [If all fails, try:  rwing!pat () eskimo com]  Pat Myrto - Seattle WA
"No one has the right to destroy another person's belief by demanding
empirical evidence."  --   Ann Landers, nationally syndicated advice columnist
and Director at Handgun Control Inc.

Current thread:

kern_exec.c, (continued)
- kern_exec.c an134699 () anon penet fi (Sep 29)
  - Re: kern_exec.c Karl Strickland (Sep 29)
  - Re: kern_exec.c Len Rose (Sep 29)
  - A request Mark Graff (Sep 29)
    - A request Scott D. Yelich (Sep 30)
    - Mail flags for using procmail instead of /bin/mail? James R. Ault (Sep 30)
    - Re: Mail flags for using procmail instead of /bin/mail? Adam Shostack (Sep 30)
  - Re: kern_exec.c John Hawkinson (Sep 29)
- Re: Various resources tws () mrc com (Sep 30)
- Re: Various resources H Morrow Long (Sep 30)
  - Re: Various resources Pat Myrto (Sep 30)
- Re: Various resources H Morrow Long (Sep 30)