[cod] CoD exploit...
Chris Adams
chris at fragzzhost.com
Sun Jul 25 16:14:28 EDT 2004
Don't get me wrong, I think that it has to be done, yes, just Luigi should
withhold it as long as it takes. I believe he was the guy who found the HLDS
BOF last year? Really when there are no/few known hack attempts, and he has
worked it out, he should wait, even if it's a month, until the appropriate
fixes can be made. Because he let it out before the fixes were done, scores
of GSPs had to shut down all HL-based servers to avoid the enslaught of
script-kiddies who had just seen it on a security site. It was total chaos.
Valve were pretty slow to react, so the disruption was huge. He should have
made sure that the fix was out before he made it public. I believe that
Valve were hardly given any notice about the bug's release to the public
though.
Same with this MOHAA fix recently. He did make a Win32 fix, so I'll give him
credit there, but I think it's totally irresponsible to make something like
that public until the fixes had been done for Linux. I know he did at least
try, but he should have waited in my opinion until it was fixed. Until Ryan
managed to get the fix done, Linux users were no better off - in fact they
were worse off with the information about the hack being out. Before we were
vulnerable, but no-one knew, but afterwards we were vulnerable with the
whole hacker community being aware of it.
"People who think non-disclosure is a viable security concept should
be locked up". Those who think that disclosure without any fix is better
than non-disclosure should be locked up :-)
Anyway my comment was only meant to be a light-hearted comment with a slant
of frustration. There is a core of GSP owners from whom this fix is
confronted with the thought, "Not another bloody fix to test and roll
out..." rather than "Oh brilliant someone's put a stop to this
previously-unknown bug", who I think would agree. Sadly people seem to take
everything on mailing lists as blunt, matter-of-fact, accurate
representations of the author's exact truthful thoughts, without satire,
sarcasm or humour. :-(
Chris
----- Original Message -----
From: "Christopher Kunz" <chrislist at de-punkt.de>
To: <cod at icculus.org>
Sent: Sunday, July 25, 2004 8:42 PM
Subject: Re: [cod] CoD exploit...
> Josh Wright wrote:
>
> > Agreed.
> >
> > -jdwright
>
> To clarify this, I'm not attacking Ryan for his decision not to publish
> the details of the CoD exploit on this list.
>
> I'm attacking the opinion that Luigi, who has done very, very precious
> work for security in game servers, is doing something wrong where in
> contrary we can't thank him enough for seriously pentesting game servers.
>
> --ck
>
More information about the Cod
mailing list