Re: Cyber attacks "escalating" on irresponsible Tavis Ormandydisclosure

["Sandeep Cheema " <51l3n7 () live in>]

To put my thoughts:

1) There's more from Security point of view to disclose. Vendor  has to react, there's no choice given. Otherwise, if 
you work with the vendor it can take anything from some days to 6 months or more. And when it's patched, they fail to 
acknowledge your report publicly. Not all perhaps. Just my personal experiences have been bitter.

2) There's no law that can prevent you from disclosing the vulnerability. Exploiting it of course is but that's not 
being discussed here.

3) Sometimes the vendor takes long to acknowledge the initial communication which builds up the frustration like we say 
from a search engine employee against a software giant.

4) Very few vendors, apart the major one's have teams dedicated to working with independent researchers. So, the good 
guy tries to find the correct contact to report but is unsuccessful and unfortunately has to blog about it.

5) I propose a system in which there is considerable monetary benefit by the vendor and not just credit. White hats 
should know underground is all about money and lack of it and money again.

Regards, Sandeep
Sent from BlackBerry® on Airtel

-----Original Message-----
From: iamherevivek () gmail com
Date: Wed, 7 Jul 2010 15:20:50 
To: <fyne_ugo () yahoo com>; <noloader () gmail com>; <murdamcloud () bigpond com>
Cc: <security-basics () securityfocus com>
Subject: Re: Cyber attacks "escalating" on irresponsible Tavis Ormandy
 disclosure

Hola,
 
 I dunt agree that hackers are the only ones benefited. I see it as the part of a bigger cycle of worldwide security 
growth. Till someone breaks his/her head on a stuff hack it and share, the industry will stagnate with useless stuff. 
The disclosures are one of many things that keep the wheel of security and hacking turning.  
 
 We should also remember that anyone disclosing vulnerability informs the writer/publisher  of the app(s) affected 
first, initiating a permanent upgrade of specific approach that was flawed before it(the knowledge sharing is still nt 
at an appreciatable level). 
 
 The users/ systems that aren't fixed will/might get hacked. Well, dunt we call it human negligence. My understanding 
is a very small amount of computer users are affected by the worms and viruses using the disclosures. At the same time, 
I would like to recall the fact that few combination of disclosures might bring a set of worms that make into the big 
league.
 
 Well, to wrap it up, everything(vulnerability disclosures) that has a beginning has an end (patches and upgrade 
security understanding of developers). It has its life time, some learn it the hard way during it. I think it will take 
tons of  suggestions and open discussions  to come up with a process that improves collective vulnerability, exploit 
and security research.
 
 
 My 2 cents
 
 Dead brain
 
 Sent on my BlackBerry® from Vodafone
 
 -----Original Message-----
 From: fyne_ugo () yahoo com
 Sender: listbounce () securityfocus com
 Date: Tue, 6 Jul 2010 21:14:20 
 To: <noloader () gmail com>; Murda<murdamcloud () bigpond com>
 Reply-To: fyne_ugo () yahoo com
 Cc: <security-basics () securityfocus com>
 Subject: Re: Cyber attacks "escalating" on irresponsible Tavis Ormandy disclosure
 
 Vulnerabilities shouldn't be disclosed publicly. Its only hackers that would benefit from them. There should be bodies 
that will follow up and check them.
 Sent from my BlackBerry wireless device from MTN
 
 -----Original Message-----
 From: Jeffrey Walton <noloader () gmail com>
 Sender: listbounce () securityfocus com
 Date: Tue, 6 Jul 2010 14:31:19 
 To: Murda<murdamcloud () bigpond com>
 Reply-To: noloader () gmail com
 Cc: <security-basics () securityfocus com>
 Subject: Re: Cyber attacks "escalating" on irresponsible Tavis Ormandy 
         disclosure
 
> Personally, I think that a huge fist of economics may at some point render
> some of these points moot. Companies may well not be able to afford to care
> about holes...especially when those companies are reliant on over-leveraged
> financial systems.
 I'd settle for some sort of product liability. Its not hard to imagine
 the discovery phase of litigation revealing that a vendor sat on a bug
 for years....
 
 On Mon, Jul 5, 2010 at 7:29 PM, Murda <murdamcloud () bigpond com> wrote:
> So this seems to boil down to the two arguments(in my mind at least):
> "The action of disclosing vulnerabilities may increase the risk of a breach
> but may increase the likelihood of the vendor fixing the hole,"
>
> Versus:
>
> "The inaction of not disclosing the vulnerability may decrease the risk of a
> breach but does not increase the likelihood of a vendor fixing the hole,"
>
> Does that sound right? Anyone who has the ability to quantify those
> arguments in a meaningful manner wins the right to tell me how the stock
> market will fluctuate in the next six months...
>
>
> Perhaps the thread name could (just as justifiably?) be "Cyber Attacks
> "escalating" after irresponsible MS not fixing hole".
>
> Personally, I think that a huge fist of economics may at some point render
> some of these points moot. Companies may well not be able to afford to care
> about holes...especially when those companies are reliant on over-leveraged
> financial systems.
>
> [SNIP]
 
 ------------------------------------------------------------------------
 Securing Apache Web Server with thawte Digital Certificate
 In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
 
 http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
 ------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------