On Mon, 29 Aug 2005, Paul Gear wrote: ... [ prev procss/proceedure snipped ] > What makes you think that this didn't occur?
sounds like a normal thing .. good > > joey and crew can't possibly examine, review, fix, verify all bugs > > no matter how good of an expert security coder they were > > My point exactly. Which is why i can't understand why he'd even bother > to question whether there was a vulnerability. what one person or a group might consider high-priority vulnerability may not be a high-priority vulnerability to another coders get tons of bug reports from tons of people .. - you have to have a process to filter thru all the reports and work on them in a productive way ... eg.... personally, ( it's just me ), i'd throw out all local exploits simply because to me, that is a very low priority - the most "trivial local exploit" is pull the power cord (or the ethernet cable) which is very very common problem and occurance - when the secretary/ceo/cfo comes in at 8am, and find out their pc doesnt work, i dont want that "8am" phone call that their pc died overnight ( due to the janitor ) which is more likely to happen than an outside cracker breaking in to become root ( which already is aproblem, regardless of they can become root once they are in, the fact that they got in is the problem... not the escalation ) - it's my view of how to deal with "local exploits" vs other security issues, policy, proceedures, process, verification, bug fixes, manpower, budgets, etc, etc, etc - security to me is: "can the cfo/ceo/theBoss keep working" while the security crew is sleeping or in meetings - there's probably 1,000 reported pending vulnerabilities eacn day... ( wild guess at some crazy numbers to deal with daily ) - prioritize it somehow, and unfortunately, some prioritization will include how thorough the vulnerability and example exploit code is and who reported it - none of this is a "debian security issue" or "joey-n-crew" c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]