Mike,
This may be one of the most ignorant statements I've seen posted to a list
in awhile. I use the word "ignorant," first, because of the ill-conceived
attack on Dave Watts, who has been contributing to this list (and the
ColdFusion community at large) for some time. Although I'm sure Dave doesn't
care, I would think an apology is in order.
Second, I believe your statement was bred of ignorance if you think the
destructive behavior of solitary script kiddies executing precompiled
executables against distant servers is necessarily predisposed to becoming
the skilled programmers that you would like to work with: a good part of
what it takes to be on a team is trust and good natured comradery, things
the script kiddies are more times than not lacking.
Benjamin S. Rogers
Web Developer, c4.net
voice: (508) 240-0051
fax: (508) 240-0057
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 26, 2000 1:26 PM
To: CF-Talk
Subject: re: Re: The +.htr bug strikes again
I for one appreciate the heads up, not everyone considers people on this
list to be script kiddies !!
we are all developers here and we don't need mr Watts to baby sit us.
on the topic of script kiddies, there is another side to that, there is the
annoying older internet worker who looks at everything like a lawyer and put
disclaimers on everything and want to protect us from ourselves. Gimme the
script kiddies anyday, script kiddies grow up to be internet workers and
innovators, annoying legally minded (old )programmers are just plain dull
> ** Original Subject: Re: The +.htr bug strikes again
> ** Original Sender: "Kevin Schmidt" <[EMAIL PROTECTED]>
> ** Original Date: Fri, 22 Dec 2000 14:21:39 -0500
> ** Original Message follows...
>
> Ok. I can see that my piece of information, that I intended to be totally
> harmless, has caused quite a stir. From now on I will keep my mouth shut.
> The only reason I let people on the list know is because the site uses CF
> and there had been alot of discussion on the topic over the past few day.
> Several people didn't even know the bug existed.
> I told the sites administrators about the problem and I don't know if they
> have fixed it yet or not. Maybe they don't care or maybe they do. There
> have been other sites metioned in this thread that have the same problem.
> People disclosed the information to warn consumers of the problem and to
> choose someone else to provide the service that the said company provided
> because the company hadn't fixed the issue. Some people on the list don't
> think mentioning these types of issues is a problem, others do. I am
> stepping of my soapbox now. If anyone has questions about the +.htr issue
> i'll be happy to entertain them. There have also been numerous posts with
> URL's to the patch posted to the list.
>
> Happy Holiday's
>
> Kevin Schmidt, Web Technology Manager
> Allaire Certified Cold Fusion Developer
> pwb inc.
> integrated marketing communications
> 350 S. Main St., Suite 350
> Ann Arbor, MI 48104
> 734.995.5000 (tel)
> 734.995.5002 (fax)
> www.pwb.com
>
>
> ----- Original Message -----From: "Dave Watts" <[EMAIL PROTECTED]>
> To: "CF-Talk" <[EMAIL PROTECTED]>
> Sent: Friday, December 22, 2000 12:04 PM
> Subject: RE: The +.htr bug strikes again
>
>
> > > There are two sides to this issue. 1. Releasing bug/vulnerability
> > > information to the public will release hoards of script
> > > kiddies to cause havoc and dismay instantaniously without
> > > recourse. 2. Releasing bug/vulnerability information will cause
> > > industry leaders like Microsoft and respectively Allaire to
> > > act on the information sooner than later.
> > >
> > > I can see both sides of the fence but would lean to alerting
> > > the public to the problem. Security by obscurity is not a good
> > > policy to live by.
> >
> > While I agree with this as far as product vendors are concerned, that's
> not
> > what's going on here. It's one thing to release general information
about
> > vulnerabilities in MS products to the public (although even within the
> > security community, there's quite a bit of debate over whether and how
> this
> > should be done - should the vendor be notified privately first, how long
> > between vendor notification and public release, etc.). It's another
thing
> to
> > release specific information about who hasn't patched their
installations
> of
> > vendor products, which is what's going on here - "so-and-so is
vulnerable
> to
> > the .htr bug". This doesn't have any place within either side of the
issue
> > that you're talking about, and is pretty irresponsible in my opinion.
> >
> > Dave Watts, CTO, Fig Leaf Software
> > http://www.figleaf.com/
> > voice: (202) 797-5496
> > fax: (202) 797-5444
> >
> >
>
~~~~~~~~~~~~~ Paid Sponsorship ~~~~~~~~~~~~~
Get Your Own Dedicated Win2K Server! Instant Activation for $99/month w/Free Setup
from SoloServer PIII600 / 128 MB RAM / 20 GB HD / 24/7/365 Tech Support Visit
SoloServer, https://secure.irides.com/clientsetup.cfm.
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
