(no subject)

[full-disclosure () lists netsys com (M L Lynch [ SotG ])]

"incorrect.  vendors are just human.  do produce code that perfect you'd end
up paying a whole lot more.  my method works better.  dont approach the
whitehat community with your bug.  go to the software developers directly.
and no one else.  that is, assuming you want to tell anyone at all... which
i dont personally advocate but we have to be realistic here... some ppl
wont let go of ethics, and i understand that.  you're probably a good
example."

I don't usually post to mailing lists, but I just had to comment on the
above remark ^

If you ever find a major security bug in a major piece of software, such as
M$ software, approaching the vendor directly does not work. Quite often they
will just add it to the end of the list of complaints, and might get around
to it in some future patch... if they feel like it... and if they think the
security bug you found posses great risk, they still won't fix it till they
feel like doing it.. instead, they now know who you are... and they take
subtle yet effective precautions to make sure you don't tell anyone about
it. I know.

Atleast if proof of concept is out there, and the risk is publicly known,
they have some motivation to fix it, and the users of the product can take
precautions to get around the bug until it is fixed.

Anyway, my thoughts.

Cheers

----- Original Message -----
From: "sockz loves you" <sockz () email com>
To: <full-disclosure () lists netsys com>
Sent: Monday, August 19, 2002 2:33 PM
Subject: Re: [Full-disclosure] (no subject)


> ----- Original Message -----
> From: "Matthew Murphy" <mattmurphy () kc rr com>
> Date: Sun, 18 Aug 2002 09:51:02 -0500
> To: <full-disclosure () lists netsys com>
> Subject: Re: [Full-disclosure] (no subject)
>
> > > whitehat using outlook express.  hehe, gotta love the irony in life.
> >
> > Your point?  OE was free, and came installed on my machine (which was
> > important on my 28.8 kbps connection, which I have happily ditched now),
> > it's fast, and actually, OE 6 makes some nice security/privacy
improvements
> > over previous versions, and I can access Hotmail from it, which is a
plus.
> > Actually, if you keep your client patched (which us pretty easy with a
> > couple of apps named "wuauboot.exe" and "wuauclt.exe" from Microsoft
that
> > *also* came conveniently installed as "Windows Update Automatic
Update"),
> > and you have enough common sense not to go double clicking on every
other
> > attachment you receive, OE is just as good as (and usually better than)
many
> > mail clients.
>
> kids these days have no appreciation of just how fast the internet is.
> dude, i was downloading openbsd on a 33k modem only a few months ago... i
dont
> see how your point is very valid.  i mean, we're talking about an email
> client here, not an entire operating system.  hotmail is as buggy as
outlook
> express, and as for windows updates... well, i can honestly say that i'd
> rather patch windows myself, microsofts "updates" seem to cause more
problems
> than they fix.  perhaps outlook express is good.  perhaps its not.  i just
> found it funny that someone like yourself was actually using the product
given
> its sullied reputation in the security industry.
>
> > I wouldn't be protected against it if the details weren't made public
and
> > fixes made
> > available to me.  Just FYI blaming the industry for the proliferation of
> > security info
> > is not a very good way to look at this.  Vendors should have written
secure
> > code
> > in the first place, so such vulnerability information would never have
to be
> > distributed.
>
> incorrect.  vendors are just human.  do produce code that perfect you'd
end
> up paying a whole lot more.  my method works better.  dont approach the
> whitehat community with your bug.  go to the software developers directly.
> and no one else.  that is, assuming you want to tell anyone at all...
which
> i dont personally advocate but we have to be realistic here... some ppl
> wont let go of ethics, and i understand that.  you're probably a good
> example.
>
> > Let me provide you with a rather incredible piece of information on this
> > subject --
> > the list will *never* be moderated.  Plain and simple.
>
> you have said this a number of times.  as have other people.  its not all
> that incredible.  really.  in fact i'm starting to wonder if this is the
> only line of defence you whitehats have.  to cling to your precious list
> and scream in a whiney voice "we're not leaving".  hell, i dont expect
> you to.  thats far to simple a solution.
>
> > > glad to see we have another supporter then.
> >
> > I'm not planning on leaving any time soon...
>
> thats the spirit!
> *hands you a pint*
> *takes it back*
> you _are_ old enough to drink in your state, right?
>
> > These "phrack" idiots are spoiled children -- whine about everything,
and
> > act like
> > they have some level of importance in the world by way of a pitiful
attempt
> > to
> > destroy another sign of progress in information security.
>
> you dont read much do you, Matthew.  i mean you're not into philosophy or
> sociology a whole lot are you, really.  its a shame i dont have more time
> to explain in detail just how much of a difference the PHC will make in
> the long run.  i'll try and make some time over the next few days to spell
> it all out for you.  stay tuned :)
>
> > You referred to the list (the list *named* "Full-Disclosure", btw) as a
> > middle
> > ground between those in support of Full-Disclosure and those who aren't.
I
> > don't think we would have named such at it is if it were a "middle
ground",
> > correct?
>
> definitions change.  discussions on *Full-Disclosure* to date have already
> covered this phenomena.  embrace change, Matthew, dont push it away.
>
> > You don't have to be fighting a war to be determined, as is true in this
> > case.
> > I am (don't know about you) determined not to let a bunch of bored,
anti-
> > social losers force this list into moderation.
>
> if that comment is supposed to be directed at me in some way, then i must
> protest.  i'm not bored.  in fact i'm taking time off work to post here
> so i'd appreciate a bit more respect thanks.  and the reason why i am so
> damned anti-social is because i work harder doing what i do than you ever
> will.  going *outside* is not something one considers when they're working
> 24hr schedules inside.
>
> > > oh i agree.  i'm much prefer to see this list turned into an
anti-whitehat
> > > discussion list.  seems like much more of an appropriate place than a
newer
> > > list for sure.  i mean, this list is much more known than a list that
> > hasn't
> > > even been created yet.  and its audience is probably more likely to be
less
> > > fearful of involving itself, than say, if this list were renamed to
> > "WHITEHAT
> > > HOLOCAUST".  dont you agree?
> >
> > You won't have a whole ton of support on that one, I'm afraid...
(definitely
> > not any from me) :-)
>
> and i'm seeing this exemplified how?  on the one hand you're saying you're
not
> going to leave... on the other you say you're not going to support the
list...
> i'm getting conflicting messages here, Matthew.
> --
> __________________________________________________________
> Sign-up for your own FREE Personalized E-mail at Mail.com
> http://www.mail.com/?sr=signup
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html