re: Re: The +.htr bug strikes again
I for one appreciate the heads up, not everyone considers people on this list to be script kiddies !! we are all developers here and we don't need mr Watts to baby sit us. on the topic of script kiddies, there is another side to that, there is the annoying older internet worker who looks at everything like a lawyer and put disclaimers on everything and want to protect us from ourselves. Gimme the script kiddies anyday, script kiddies grow up to be internet workers and innovators, annoying legally minded (old )programmers are just plain dull ** Original Subject: Re: The +.htr bug strikes again ** Original Sender: "Kevin Schmidt" [EMAIL PROTECTED] ** Original Date: Fri, 22 Dec 2000 14:21:39 -0500 ** Original Message follows... Ok. I can see that my piece of information, that I intended to be totally harmless, has caused quite a stir. From now on I will keep my mouth shut. The only reason I let people on the list know is because the site uses CF and there had been alot of discussion on the topic over the past few day. Several people didn't even know the bug existed. I told the sites administrators about the problem and I don't know if they have fixed it yet or not. Maybe they don't care or maybe they do. There have been other sites metioned in this thread that have the same problem. People disclosed the information to warn consumers of the problem and to choose someone else to provide the service that the said company provided because the company hadn't fixed the issue. Some people on the list don't think mentioning these types of issues is a problem, others do. I am stepping of my soapbox now. If anyone has questions about the +.htr issue i'll be happy to entertain them. There have also been numerous posts with URL's to the patch posted to the list. Happy Holiday's Kevin Schmidt, Web Technology Manager Allaire Certified Cold Fusion Developer pwb inc. integrated marketing communications 350 S. Main St., Suite 350 Ann Arbor, MI 48104 734.995.5000 (tel) 734.995.5002 (fax) www.pwb.com - Original Message -From: "Dave Watts" [EMAIL PROTECTED] To: "CF-Talk" [EMAIL PROTECTED] Sent: Friday, December 22, 2000 12:04 PM Subject: RE: The +.htr bug strikes again There are two sides to this issue. 1. Releasing bug/vulnerability information to the public will release hoards of script kiddies to cause havoc and dismay instantaniously without recourse. 2. Releasing bug/vulnerability information will cause industry leaders like Microsoft and respectively Allaire to act on the information sooner than later. I can see both sides of the fence but would lean to alerting the public to the problem. Security by obscurity is not a good policy to live by. While I agree with this as far as product vendors are concerned, that's not what's going on here. It's one thing to release general information about vulnerabilities in MS products to the public (although even within the security community, there's quite a bit of debate over whether and how this should be done - should the vendor be notified privately first, how long between vendor notification and public release, etc.). It's another thing to release specific information about who hasn't patched their installations of vendor products, which is what's going on here - "so-and-so is vulnerable to the .htr bug". This doesn't have any place within either side of the issue that you're talking about, and is pretty irresponsible in my opinion. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~ Paid Sponsorship ~ Get Your Own Dedicated Win2K Server! Instant Activation for $99/month w/Free Setup from SoloServer PIII600 / 128 MB RAM / 20 GB HD / 24/7/365 Tech Support Visit SoloServer, https://secure.irides.com/clientsetup.cfm. Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Re: The +.htr bug strikes again
Mike, This may be one of the most ignorant statements I've seen posted to a list in awhile. I use the word "ignorant," first, because of the ill-conceived attack on Dave Watts, who has been contributing to this list (and the ColdFusion community at large) for some time. Although I'm sure Dave doesn't care, I would think an apology is in order. Second, I believe your statement was bred of ignorance if you think the destructive behavior of solitary script kiddies executing precompiled executables against distant servers is necessarily predisposed to becoming the skilled programmers that you would like to work with: a good part of what it takes to be on a team is trust and good natured comradery, things the script kiddies are more times than not lacking. Benjamin S. Rogers Web Developer, c4.net voice: (508) 240-0051 fax: (508) 240-0057 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 26, 2000 1:26 PM To: CF-Talk Subject: re: Re: The +.htr bug strikes again I for one appreciate the heads up, not everyone considers people on this list to be script kiddies !! we are all developers here and we don't need mr Watts to baby sit us. on the topic of script kiddies, there is another side to that, there is the annoying older internet worker who looks at everything like a lawyer and put disclaimers on everything and want to protect us from ourselves. Gimme the script kiddies anyday, script kiddies grow up to be internet workers and innovators, annoying legally minded (old )programmers are just plain dull ** Original Subject: Re: The +.htr bug strikes again ** Original Sender: "Kevin Schmidt" [EMAIL PROTECTED] ** Original Date: Fri, 22 Dec 2000 14:21:39 -0500 ** Original Message follows... Ok. I can see that my piece of information, that I intended to be totally harmless, has caused quite a stir. From now on I will keep my mouth shut. The only reason I let people on the list know is because the site uses CF and there had been alot of discussion on the topic over the past few day. Several people didn't even know the bug existed. I told the sites administrators about the problem and I don't know if they have fixed it yet or not. Maybe they don't care or maybe they do. There have been other sites metioned in this thread that have the same problem. People disclosed the information to warn consumers of the problem and to choose someone else to provide the service that the said company provided because the company hadn't fixed the issue. Some people on the list don't think mentioning these types of issues is a problem, others do. I am stepping of my soapbox now. If anyone has questions about the +.htr issue i'll be happy to entertain them. There have also been numerous posts with URL's to the patch posted to the list. Happy Holiday's Kevin Schmidt, Web Technology Manager Allaire Certified Cold Fusion Developer pwb inc. integrated marketing communications 350 S. Main St., Suite 350 Ann Arbor, MI 48104 734.995.5000 (tel) 734.995.5002 (fax) www.pwb.com - Original Message -From: "Dave Watts" [EMAIL PROTECTED] To: "CF-Talk" [EMAIL PROTECTED] Sent: Friday, December 22, 2000 12:04 PM Subject: RE: The +.htr bug strikes again There are two sides to this issue. 1. Releasing bug/vulnerability information to the public will release hoards of script kiddies to cause havoc and dismay instantaniously without recourse. 2. Releasing bug/vulnerability information will cause industry leaders like Microsoft and respectively Allaire to act on the information sooner than later. I can see both sides of the fence but would lean to alerting the public to the problem. Security by obscurity is not a good policy to live by. While I agree with this as far as product vendors are concerned, that's not what's going on here. It's one thing to release general information about vulnerabilities in MS products to the public (although even within the security community, there's quite a bit of debate over whether and how this should be done - should the vendor be notified privately first, how long between vendor notification and public release, etc.). It's another thing to release specific information about who hasn't patched their installations of vendor products, which is what's going on here - "so-and-so is vulnerable to the .htr bug". This doesn't have any place within either side of the issue that you're talking about, and is pretty irresponsible in my opinion. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~ Paid Sponsorship ~ Get Your Own Dedicated Win2K Server! Instant Activation for $99/month w/Free Setup from SoloServer PIII600 / 128 MB RAM / 20 GB HD / 24/7/365 Tech Support Visit SoloServer, https://secure.irides.com/clientsetup.c
RE: Re: The +.htr bug strikes again
wow i've made a new friend cool ya jets there hercules . I never attacked Dave Watts but merely pointed out my opinion concerning his comments about script kiddies on this list, i think its safe to say there is not a major problem with script kiddies roaming this list lurking about in the shadows to grab sensitive information for naughty purposes. Sorry i dont agree with you about script kiddies, i guess that makes me the anti-christ to you or something. Dave Watts simply had an opinion concerning the posting of the +.htr bug , thru that posting i know of at least 3 working developers who learned about the bug and moved to fix it because of that post, including myself. Now if we all had taken that hysterically cynical view of the world that you seem to have, well that wouldn't have happened. would it? As for ignorant, i guess you now hold the title as most ignorant post to any list :) also if you think i should apologize to Dave Watts, then what will you do for me after your calling me ignorant, are you going to buy me dinner now ? You may despise script kiddies , but they are the future, not all script kiddies are criminal in intent, and noone was defending the act of hacking. So take a valium and relax MikeC ** Original Subject: RE: Re: The +.htr bug strikes again ** Original Sender: "Benjamin S. Rogers" [EMAIL PROTECTED] ** Original Date: Tue, 26 Dec 2000 16:14:27 -0500 ** Original Message follows... Mike, This may be one of the most ignorant statements I've seen posted to a list in awhile. I use the word "ignorant," first, because of the ill-conceived attack on Dave Watts, who has been contributing to this list (and the ColdFusion community at large) for some time. Although I'm sure Dave doesn't care, I would think an apology is in order. Second, I believe your statement was bred of ignorance if you think the destructive behavior of solitary script kiddies executing precompiled executables against distant servers is necessarily predisposed to becoming the skilled programmers that you would like to work with: a good part of what it takes to be on a team is trust and good natured comradery, things the script kiddies are more times than not lacking. Benjamin S. Rogers Web Developer, c4.net voice: (508) 240-0051 fax: (508) 240-0057 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 26, 2000 1:26 PM To: CF-Talk Subject: re: Re: The +.htr bug strikes again I for one appreciate the heads up, not everyone considers people on this list to be script kiddies !! we are all developers here and we don't need mr Watts to baby sit us. on the topic of script kiddies, there is another side to that, there is the annoying older internet worker who looks at everything like a lawyer and put disclaimers on everything and want to protect us from ourselves. Gimme the script kiddies anyday, script kiddies grow up to be internet workers and innovators, annoying legally minded (old )programmers are just plain dull ** Original Subject: Re: The +.htr bug strikes again ** Original Sender: "Kevin Schmidt" [EMAIL PROTECTED] ** Original Date: Fri, 22 Dec 2000 14:21:39 -0500 ** Original Message follows... Ok. I can see that my piece of information, that I intended to be totally harmless, has caused quite a stir. From now on I will keep my mouth shut. The only reason I let people on the list know is because the site uses CF and there had been alot of discussion on the topic over the past few day. Several people didn't even know the bug existed. I told the sites administrators about the problem and I don't know if they have fixed it yet or not. Maybe they don't care or maybe they do. There have been other sites metioned in this thread that have the same problem. People disclosed the information to warn consumers of the problem and to choose someone else to provide the service that the said company provided because the company hadn't fixed the issue. Some people on the list don't think mentioning these types of issues is a problem, others do. I am stepping of my soapbox now. If anyone has questions about the +.htr issue i'll be happy to entertain them. There have also been numerous posts with URL's to the patch posted to the list. Happy Holiday's Kevin Schmidt, Web Technology Manager Allaire Certified Cold Fusion Developer pwb inc. integrated marketing communications 350 S. Main St., Suite 350 Ann Arbor, MI 48104 734.995.5000 (tel) 734.995.5002 (fax) www.pwb.com - Original Message -From: "Dave Watts" [EMAIL PROTECTED] To: "CF-Talk" [EMAIL PROTECTED] Sent: Friday, December 22, 2000 12:04 PM Subject: RE: The +.htr bug strikes again There are two sides to this issue. 1. Releasing bug/vulnerability information to the public will release hoards of script kiddies
re: RE: The +.htr bug strikes again
yeah my life is complete now, i have the sourcecode for hasbro, gimme a break, i think most of us on here have better things to do that swipe code of a site, especially seeing as all you have to do is ask on the list and people usually will give you code if needed ** Original Subject: RE: The +.htr bug strikes again ** Original Sender: Eric Fickes [EMAIL PROTECTED] ** Original Date: Thu, 21 Dec 2000 12:06:58 -0500 ** Original Message follows... So you're wanting everybody to take advantage of Hasbro's mistake before they can fix it? E+htr -Original Message- From: Kevin Schmidt [mailto:[EMAIL PROTECTED]] Check out Hasbro Interactive. They run entirely CF and haven't patched the +.htr bug yet. I alerted them to this fact. Kevin Schmidt, Web Technology Manager Allaire Certified Cold Fusion Developer pwb inc. integrated marketing communications 350 S. Main St., Suite 350 Ann Arbor, MI 48104 734.995.5000 (tel) 734.995.5002 (fax) www.pwb.com ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
