Обсуждение: Re: @(#)Mordred Labs advisory 0x0004: Multiple buffer overflows inPostgreSQL. (fwd)

> -----Original Message-----
> From: Frank Wiles [mailto:frank@wiles.org]
> Sent: Tuesday, August 20, 2002 1:57 PM
> To: Dann Corbit
> Cc: pgsql-hackers@postgresql.org
> Subject: Re: [HACKERS] @(#)Mordred Labs advisory 0x0004:
> Multiple buffer overflows inPostgreSQL. (fwd)
>
>
>  .------[ Dann Corbit wrote (2002/08/20 at 13:54:53) ]------
>  |
>  |  > From: Vince Vielhaber [mailto:vev@michvhf.com]
>  |  > Sent: Tuesday, August 20, 2002 1:48 PM
>  |  > To: pgsql-hackers@postgreSQL.org
>  |  > Subject: [HACKERS] @(#)Mordred Labs advisory 0x0004: Multiple
>  |  > buffer overflows inPostgreSQL. (fwd)
>  |  >
>  |  >
>  |  >
>  |  > And another one.  Sure would be nice if shit-for-brains would
>  |  > mention it to us first.
>  |
>  |  It looks to me like he may be the most valuable tester on
> the staff.  |  As long as we find out what the problem is,
> why complain?  |
>  `-------------------------------------------------
>
>     The reason to complain is that he is not notifying the development
>     team before hand. Giving them absolutely no chance to work on a
>     fix prior to the whole world freaking out over these bugs.
>
>     If I was your neighbor, and I noticed your front door was open I
>     would contact you and let you know... not take out a full page
>     ad in the local news paper! Same idea applies here. :)
>
>     Also, if I'm not mistaken this guy isn't on "staff".

Well, of course, a well mannered team member would report the bugs
through one of the normal channels.
On the other hand, a malicious tester who finds these problems performs
two valuable services:
1.  Through great effort, he has found a problem that needs to be
addressed or serious consequences will result.
2.  He has raised a large public rancor.  The result of which is that
the serious problem must be addressed.

The motivation is suspect.  The character is suspect.  But the result is
of great value.  In a similar manner, it is a common practice to hire
hackers to try to break into your site.  While their methods will be
unconventional, and they can be very seedy and immoral characters, they
will reveal information of great value to show you exactly where the
hole needs to be plugged.

.------[ Dann Corbit wrote (2002/08/20 at 14:05:37) ]------| |  ... [large snip] ... ||  Well, of course, a well
manneredteam member would report the bugs|  through one of the normal channels.|  On the other hand, a malicious tester
whofinds these problems performs|  two valuable services:|  1.  Through great effort, he has found a problem that needs
tobe|  addressed or serious consequences will result.||  ... [small snip]
...|`-------------------------------------------------
   Reading the TODO list is "great effort"? What puzzles me most is   that you speak as if you have personal knowledge
ofhow much effort   it took. 
 
---------------------------------  Frank Wiles <frank@wiles.org>
http://frank.wiles.org---------------------------------