Mail Bag
Mail Bag
| Friday, January 2, 1997 |
Date: Fri, 02 Jan 1998 130349 -0600
From: "Ryan"
Subject: server exploitsHi--
I like your site. I really feel for that poor guy who posted the Q2 server exploit...he's probably getting e-mailbombed out the kazoo, thanks in large part to you. Perhaps if you had any inkling at all about Computer Security and the way security concerns are fixed, this probably would have never happened. Here's a chronology of what usually happens regarding _any_ computer security problem
1. Evil malicious person discovers a security hole.
2. Said person exploits hole as much as possible.
3. Hole is eventually revealed to the world by nice sysadmin who had his server compromised.
4. Patch is created.
5. Exploit is re-created in order for other sysadmins to see how the exploit worked, and perhaps to force other sysadmins to hurry up and patch their system too.So, in effect, the person who posts exploits to mailing lists like bugtraq, 99% of the time, is not the person who originally made the exploit. It's usually just a well-meaning sysadmin or cs grad student doing their part to help out the cs community. "peedee" is probably going to have to end up changing his e-mail address -- it's too bad things had to happen this way.
What I have learned in my efforts in being a responsible journalist, assuming that isn't an oxymoron, is there are times when it ends you up in a very difficult position. I would certainly describe this as one of those cases.
I received dozens of emails informing me that the Tech Zone had posted the email address of the server crasher. I do not claim to be an expert in Internet security, but I have always considered the Tech Zone to be a reliable site. There was no explanation that the email address in question was acquired from bugtraq, just that it was the identity of the crasher. I tried to contact the accused, but he seemed to being mailbombed already (I dunno, I get a too many hops (3) message when I mail him, and I would expect a full mailbox--in any event, I could not reach him). So the question was: is this news (see next letter for an opinion on that question)? I made a post describing what was on the Tech Zone, with a question mark in the headline. I do not regret that post, it was all I could do under the circumstances. As I described in my story about this today, it is the the follow-up post where I offer my unqualified opinion that I regret and retract.
As for whether the first story was newsworthy in the first place, I know I think so (and I know if I "decided" not to post it, I would've gotten accused of repressing news), but here's the opinion of someone who would disagree:
Date Fri, 02 Jan 1998 134857 -0500
From paranrml
Subject Q2 Server CrashingI was just reading the continuation of the Q2 server-crashing saga on your page, and got to wondering; by actually speculating upon and acknowledging the fact that some individual(s) are responsible for this foolishness, are we not giving them exactly what he/she/they want ?
I understand that is is the responsibility of folks like yourself to report any item you deem newsworthy to the community, but to continue to expound on this issue seems as though it would only invite more trouble.. I can foresee lamers starting to claim responsibility, and more people finding more ways to crash the servers, all for the perceived glory these so-called "hackers" (I refuse to spell it with a "z") will receive by getting a mention on a site such as Blue's News.
It's a shame, but these morons thrive on that kind of attention. Why else would anyone waste their time trying to break something that's fun ? I'd just hate to see the community subjected to further damage because we "fueled the fire".
I hope this doesn't come across as a shot at you, because it is certainly not intended in that manner. You have always been exemplary at keeping the best interests of the community in the forefront. It's just that this issue was bothering me, and I knew you'd give it due consideration.
Thanks for "hearing" me out -