Jump to content

Talk:Przemysław Frasunek

Page contents not supported in other languages.
From Wikipedia, the free encyclopedia

Notability of vulnerabilities

[edit]

First, are you Przemysław Frasunek?

No, I'm not. Adom11 (talk) 19:58, 17 January 2008 (UTC)[reply]
I put my contact data on the user page, so it could help verifying my intentions. Adom11 (talk) 21:09, 17 January 2008 (UTC)[reply]

Second, you need to provide a reference to a reliable source that says the vulnerability was actually notable. In the same time period, I see plenty of press hits for WU-FTPD vulns, but none of them appear to be this one.

Third, you need to verify that Przemysław Frasunek actually found the vulnerability. The Bugtraq post linked from the CVE post credits tf8, and only offers a "shout-out" to "venglin".

[1] & [2], CVE links to both. Adom11 (talk) 19:58, 17 January 2008 (UTC)[reply]
The first link you provided explicitly says he did not discover that vulnerability. I'm striking it from the article. --- tqbf 20:34, 17 January 2008 (UTC)[reply]

Thank you for not simply restoring the entire list of vulnerabilities, but if we can't provide actual references that establish your notability, I'm going to propose the article be deleted. Plenty of people have found major vulnerabilities, and yet have not been written about in sufficient detail to merit a Wikipedia article.

I understand your point of view, although IMO discovery of the exploitation technique for one of the most known form of software vulnerability (format string attack) is quite enough to be noted on wikipedia. See articles on Robert Tappan Morris or Michal Zalewski. Adom11 (talk) 19:58, 17 January 2008 (UTC)[reply]
I'm a total skeptic on vuln researchers of marginal notability being on WP; we lack articles for hugely respected researchers, for what I think is good reason. You're not a skeptic. I can be convinced that this isn't an AfD candidate --- but if I feel like "delete" will win when you're done, I'm sending it there. --- tqbf 20:13, 17 January 2008 (UTC)[reply]
Also --- nothing you've provided verifies that this person "discovered the exploit technique" for format string attacks, and I tend to doubt that's true. --- tqbf 20:14, 17 January 2008 (UTC)[reply]
Your user page suggests you're interested in a computer security, so why not helping me with verifying the article theses (or proving it wrong) using bugtraq or securityfocus archives (or any other well-known source)? It sould be easy, huh :)? Adom11 (talk) 20:30, 17 January 2008 (UTC)[reply]
"Discoverer of how to exploit format string vulnerabilities" is an extraordinary claim. The burden is not on me to verify it. --- tqbf 20:33, 17 January 2008 (UTC)[reply]
If you agree on that TESO's paper is a reliable source; which says that the first exploitation technique comes from tf8; and if you compare those exploits [3] & [4], so you could spot different approach to the problem (having in mind his informal comment on the issue), maybe it will be easier to you accept the phrase 'Co-discoverer of how to exploit format string vulnerabilities'. Even if not, I believe that we can agree on 'author of one of the firsts exploits for the format string bugs'. The problem we need to resolve then if it's whether it meets wikipedia notability standards or not. A query of [5] returns ~12.5k results, [6] returns ~11k results, and [7] returns ~7k results. Adom11 (talk) 10:49, 23 January 2008 (UTC)[reply]

:::::: Ok, what about current state of the article? Adom11 (talk) 21:05, 17 January 2008 (UTC)[reply]

--- tqbf 14:59, 17 January 2008 (UTC)[reply]

I can't evaluate the first cite; it's not in English. This is the English Wikipedia.
http://www.diva-portal.org/diva/getDocument?urn_nbn_se_liu_diva-7866-1__fulltext.pdf? We usually don't delete sources on quantum mechanics, because taxi driver cannot understand it. There are people fluent in the language of the document, so let them verify it. Many wikipedias refer to sources in other languages (esp. english), I don't see a reason why not let it here. What about marking it with a flag or with some other language descriptor? Adom11 (talk) 20:05, 17 January 2008 (UTC)[reply]
No, but you might delete a source on quantum mechanics if a physicist couldn't verify it. I'm not anonymous; check out my user page, and Google. --- tqbf 20:13, 17 January 2008 (UTC)[reply]
So, please, translate the article, and on the basis of your knowledge save it or delete the link. Adom11 (talk) 20:30, 17 January 2008 (UTC)[reply]
I can't translate the article, but given context about where the article was published, who wrote it, and what it says, I can evaluate whether it establishes notability for this researcher. Note that the other examples you gave --- Zalewski and RTM --- are "famous", having appeared regularly in the mainstream english press. --- tqbf 20:32, 17 January 2008 (UTC)[reply]
Why did you remove link to the CVE on WU-FTPD exploit? It just said he was an author of "one of the first exploits for...". Adom11 (talk) 21:05, 17 January 2008 (UTC)[reply]
Because the link you provided credits somebody else with the discovery of the vulnerability. --- tqbf 21:30, 17 January 2008 (UTC)[reply]
A vulnerability and an exploit are two different things. Adom11 (talk) 21:42, 17 January 2008 (UTC)[reply]
Thanks for informing me of that. Your link doesn't verify he wrote the exploit, either: again, it's credited to tf8. You can fix it this time, or I'm just going to list this on AfD. If this is the best you can do, I'm convinced this person isn't notable. --- tqbf 22:02, 17 January 2008 (UTC)[reply]
It's probably no proof by wikedia standards but this is comment by Frasunek from the polish wiki at pl:Dyskusja:Format string attack. In badly translation it says In 2000, there was an informal computer security group called b0f, which me (Ptrzemyslaw Frasunek), tf8, and for some time also lcamtuf (Michal Zalewski), were members. The original discoverer of the vulnerability was unknown to us, and we were informed about the vulnerability by tf8. From that point several independent analyses of the vulnerability has been started. We had agreed that out work will be published under the name of b0f group. On the June 22th 2000, me and tf8 had have independently created exploits, which (what almost anybody can spot) were working differently. Unfortunately, tf8 released the exploit without coordination with the rest of the group, and what is more he falsified the date in the exploit header (1999 vs 2000). Just after I had read it on the Bugtraq, I sent my version of the exploit and because of the bugtraq moderation it appeared a few hours later. To sum up: the vulnerability had been found by an unknown person, but exploits were developed simultaneously by me and tf8, thus the credit in the exploit header. I have an emails archive confirming that scenario -Venglin 00:51, 20 lut 2007 (CET) Adom11 (talk) 22:36, 17 January 2008 (UTC)[reply]

(<-dent) See WP:RS. Wikis are never reliable sources; email messages are not sources unless posted somewhere reliable, not usable to verify disputed facts, and are primary sources subject to WP:OR. You haven't verified this fact. I see no evidence this person is notable. --- tqbf 01:31, 18 January 2008 (UTC)[reply]

Don't you think, that it would be quite silly that this hacker, with quite respectable security research history http://www.frasunek.com/#security, would send somebody's else exploit to the bugtraq list? The proof is in the bugtraq's archives: tf8's version [8], frasunek's version [9]. Explanation of the credits given in each exploit is in here (my poor translation somewhere above). Analysis of the exploits' source code is another proof, for those who are capable of performing so. Here's TESO's document stating ...tf8, who wrote the first format string exploit ever.... I don't even try to argue that that tf8's version was or was not the first on the Bugtraq (I never did say or write so). What I put down in the article, is that Frasunek's (venglin's) version was one of the first published; and the truth about whose method was the first developed is known probably only to them right now. Adom11 (talk) 05:44, 23 January 2008 (UTC)[reply]

I dispute that the cite to "economy-point.org" is reliable: there is no evidence of editorial oversight, and the content is badly machine-translated. --- tqbf 19:47, 17 January 2008 (UTC)[reply]

Agreed Adom11 (talk) 20:05, 17 January 2008 (UTC)[reply]

Deleting this article

[edit]

I'm convinced this person isn't notable, to the degree required by WP:N.

I'm giving this page another week, from today, and then I'm going to propose deletion, and, if necessary, submit it to AfD. If reliable sources are added between now and then, of course I'll leave the article alone.

--- tqbf 01:33, 18 January 2008 (UTC)[reply]