Yesterday, we recieved a bug report in our BackTrack forums describing an “0-day privilage escalation in BackTrack” from the Infosec Institute.
Initially, the bug report confused us, as BackTrack 5 R2 by default has a single root user, with no open TCP or UDP ports – therefore a console escalation from root to root seemed frivolous. The title of the bug was even more confusing – calling it a “BackTrack 0day” misrepresents the bug, apparently in an attempt to make it seem bigger than it is.
As an organization who claim to be security professionals, the Infosec Institute should know better. They should know that an accurate vulnerability description is probably the most important aspect of a bug report. Without this basic rule in place, every single 3’rd party FTP overflow in windows would be categorized as a “Windows 0day”, and every PHP web application vulnerability would be defined as an “Apache 0day”.
To summarise, we believe that the intentional misrepresentation of this bug report has discredited BackTrack unecessarily in the eyes of those who do not understand the underlying mechanisms of our OS, and also discredited the Infosec Institute in the eyes of those who do.
Lastly, we found the following quote from Saul Bellow relevant to this situation. “A great deal of intelligence can be invested in ignorance when the need for illusion is deep“.