> ** Original Subject: RE: Re: The +.htr bug strikes again > ** Original Sender: "Benjamin S. Rogers" <ben@c4.net> > ** Original Date: Tue, 26 Dec 2000 16:14:27 -0500

> ** Original Message follows...

> > Mike, > > This may be one of the most ignorant statements I've seen posted to a list > in awhile. I use the word "ignorant," first, because of the ill-conceived > attack on Dave Watts, who has been contributing to this list (and the > ColdFusion community at large) for some time. Although I'm sure Dave doesn't > care, I would think an apology is in order. > > Second, I believe your statement was bred of ignorance if you think the > destructive behavior of solitary script kiddies executing precompiled > executables against distant servers is necessarily predisposed to becoming > the skilled programmers that you would like to work with: a good part of > what it takes to be on a team is trust and good natured comradery, things > the script kiddies are more times than not lacking. > > Benjamin S. Rogers > Web Developer, c4.net > voice: (508) 240-0051 > fax: (508) 240-0057 > > -----Original Message-----From: mikec@aeps.com [mailto:mikec@aeps.com] > Sent: Tuesday, December 26, 2000 1:26 PM > To: CF-Talk > Subject: re: Re: The +.htr bug strikes again > > > I for one appreciate the heads up, not everyone considers people on this > list to be script kiddies !! > we are all developers here and we don't need mr Watts to baby sit us. > on the topic of script kiddies, there is another side to that, there is the > annoying older internet worker who looks at everything like a lawyer and put > disclaimers on everything and want to protect us from ourselves. Gimme the > script kiddies anyday, script kiddies grow up to be internet workers and > innovators, annoying legally minded (old )programmers are just plain dull > > > > ** Original Subject: Re: The +.htr bug strikes again > > ** Original Sender: "Kevin Schmidt" <schmidt@pwb.com> > > ** Original Date: Fri, 22 Dec 2000 14:21:39 -0500 > > > ** Original Message follows... > > > > > Ok. I can see that my piece of information, that I intended to be totally > > harmless, has caused quite a stir. From now on I will keep my mouth shut. > > The only reason I let people on the list know is because the site uses CF > > and there had been alot of discussion on the topic over the past few day. > > Several people didn't even know the bug existed. > > I told the sites administrators about the problem and I don't know if they > > have fixed it yet or not. Maybe they don't care or maybe they do. There > > have been other sites metioned in this thread that have the same problem. > > People disclosed the information to warn consumers of the problem and to > > choose someone else to provide the service that the said company provided > > because the company hadn't fixed the issue. Some people on the list don't > > think mentioning these types of issues is a problem, others do. I am > > stepping of my soapbox now. If anyone has questions about the +.htr issue > > i'll be happy to entertain them. There have also been numerous posts with > > URL's to the patch posted to the list. > > > > Happy Holiday's > > > > Kevin Schmidt, Web Technology Manager > > Allaire Certified Cold Fusion Developer > > pwb inc. > > integrated marketing communications > > 350 S. Main St., Suite 350 > > Ann Arbor, MI 48104 > > 734.995.5000 (tel) > > 734.995.5002 (fax) > > www.pwb.com > > > > > > ----- Original Message -----From: "Dave Watts" <dwatts@figleaf.com> > > To: "CF-Talk" <cf-talk@houseoffusion.com> > > Sent: Friday, December 22, 2000 12:04 PM > > Subject: RE: The +.htr bug strikes again > > > > There are two sides to this issue. 1. Releasing bug/vulnerability information to the public will release hoards of script kiddies to cause havoc and dismay instantaniously without recourse. 2. Releasing bug/vulnerability information will cause industry leaders like Microsoft and respectively Allaire to act on the information sooner than later. > > > > I can see both sides of the fence but would lean to alerting the public to the problem. Security by obscurity is not a good policy to live by. > > > > > > While I agree with this as far as product vendors are concerned, that's > > not > > > what's going on here. It's one thing to release general information > about > > > vulnerabilities in MS products to the public (although even within the > > > security community, there's quite a bit of debate over whether and how > > this > > > should be done - should the vendor be notified privately first, how long > > > between vendor notification and public release, etc.). It's another > thing > > to > > > release specific information about who hasn't patched their > installations > > of > > > vendor products, which is what's going on here - "so-and-so is > vulnerable > > to > > > the .htr bug". This doesn't have any place within either side of the > issue > > > that you're talking about, and is pretty irresponsible in my opinion. > > > > > > Dave Watts, CTO, Fig Leaf Software > > > http://www.figleaf.com/ > > > voice: (202) 797-5496 > > > fax: (202) 797-5444 > > > > > > > > > ~~~~~~~~~~~~~ Paid Sponsorship ~~~~~~~~~~~~~ Get Your Own Dedicated Win2K Server! Instant Activation for $99/month w/Free Setup from SoloServer PIII600 / 128 MB RAM / 20 GB HD / 24/7/365 Tech Support Visit SoloServer, https://secure.irides.com/clientsetup.cfm.