Re: oooh, isc2 gets p0wned

[H D Moore <hdm-daily-dave () digitaloffense net>]

On Sunday 06 June 2004 09:41, Dave Aitel wrote:
> One thing I've been thinking about is that you don't see the OISAFTEY
> people in the news nearly as much anymore. I'm hoping this means that
> it's lost all momentum

If only they would just go away....
http://finance.lycos.com/qc/news/story.aspx?symbols=NYSE:NET&story=200405251425_BWR__BW5568

The Microsoft Security Response team started quoting OIS guidelines to me 
the last time I tried to report a bug to them. The ensuing discussion was 
informative as to how they perceive independent researchers and the 
"community" as whole. The short version is that my reasons for having to 
accelerate the patch release (due to public traffic logs of the 
discovery) were irrelevant, and the only way I would get my "credit" 
would be to sit on my hands and wait for them to get around to fixing it. 
The fact that I really didn't care never made it across. The end result 
was that after five months of the code being available, they posted an 
inaccurate advisory that didn't include the real possibility of code 
execution. Qualys was given credit for reporting a similar vulnerability 
and only a handful of people are aware of just how easy it is to exploit 
the WINS overflow on Windows 2000....

> , and not that they are busy raising money and 
> playing behind the scenes lobbying games with politicians to take away
> our freedoms. I mean, any team with the SCO Group as a prominant
> member is a bad group to be on.

Its just amazing how Microsoft managed to turn that many companies into 
their sock puppets. Nothing like a little financial incentive to bend 
those boilerplate ethics...

-HD
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave