Re: [FD] Should it be better ...

Fri, 18 Jul 2014 16:16:26 -0700

Another possible consequence: This 'link-friendly' advisories lets the originator (a person, an institution or a fake of anyone of those) track the individual that routinely click on that links. Maybe just to build a list of people (IP->ISP->Country->Client of the ISP->Your home) interested in security, maybe not only for that. Who knows!? Just don't click on them ... or do it, nobody is watching! ;) 

Regards,
Pablo.

El 10/07/2014 02:07 p.m., Fyodor escribió:
On Thu, Jul 10, 2014 at 7:51 AM, Pablo <[email protected] <mailto:[email protected]>> wrote: 

    [Would] it be better to include the Advisory Details/exploit/code
    in the body of the email to FD, and not in a link to a
    blog/site/company so the list archive will be an archive and not a
    index to some, possible down, link?
Yes, it is absolutely better to include full details in the body of the message rather than just a link. I haven't been rejecting the link-only messages (as long as there is at least a brief summary), but they are annoying. Not only are they a pain to read (need to open a browser and/or follow a link), but they screw up the archives. Right now we're able to browse Bugtraq from more than 20 years ago, and it's fascinating: 

http://seclists.org/bugtraq/1993/Nov/index.html
But if those messages were just links to other sites, how many would still work? Hardly any.
Now it's perfectly fine to ALSO include a link to the advisory on a web site. Just include full details in the body of the post too. The main exception is binary attachments. If an attachment is more than 500K or a megabyte, just link it that attachment (in the descriptive text body of your post) to avoid clogging up people's mail spools. Also, if you're posting someone else's work (like a news story or 3rd party blog or whatever), there may be copyright issues with just pasting the whole thing into your message. Still, try to include at least the first few paragraphs or a summary so we know what it is. 

Thanks,
Fyodor




_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Reply via email to