Full Disclosure mailing list archives
(no subject)
From: full-disclosure () lists netsys com (M L Lynch [ SotG ])
Date: Mon, 19 Aug 2002 15:41:46 +1000
"incorrect. vendors are just human. do produce code that perfect you'd end up paying a whole lot more. my method works better. dont approach the whitehat community with your bug. go to the software developers directly. and no one else. that is, assuming you want to tell anyone at all... which i dont personally advocate but we have to be realistic here... some ppl wont let go of ethics, and i understand that. you're probably a good example." I don't usually post to mailing lists, but I just had to comment on the above remark ^ If you ever find a major security bug in a major piece of software, such as M$ software, approaching the vendor directly does not work. Quite often they will just add it to the end of the list of complaints, and might get around to it in some future patch... if they feel like it... and if they think the security bug you found posses great risk, they still won't fix it till they feel like doing it.. instead, they now know who you are... and they take subtle yet effective precautions to make sure you don't tell anyone about it. I know. Atleast if proof of concept is out there, and the risk is publicly known, they have some motivation to fix it, and the users of the product can take precautions to get around the bug until it is fixed. Anyway, my thoughts. Cheers ----- Original Message ----- From: "sockz loves you" <sockz () email com> To: <full-disclosure () lists netsys com> Sent: Monday, August 19, 2002 2:33 PM Subject: Re: [Full-disclosure] (no subject)
----- Original Message ----- From: "Matthew Murphy" <mattmurphy () kc rr com> Date: Sun, 18 Aug 2002 09:51:02 -0500 To: <full-disclosure () lists netsys com> Subject: Re: [Full-disclosure] (no subject)whitehat using outlook express. hehe, gotta love the irony in life.Your point? OE was free, and came installed on my machine (which was important on my 28.8 kbps connection, which I have happily ditched now), it's fast, and actually, OE 6 makes some nice security/privacy
improvements
over previous versions, and I can access Hotmail from it, which is a
plus.
Actually, if you keep your client patched (which us pretty easy with a couple of apps named "wuauboot.exe" and "wuauclt.exe" from Microsoft
that
*also* came conveniently installed as "Windows Update Automatic
Update"),
and you have enough common sense not to go double clicking on every
other
attachment you receive, OE is just as good as (and usually better than)
many
mail clients.kids these days have no appreciation of just how fast the internet is. dude, i was downloading openbsd on a 33k modem only a few months ago... i
dont
see how your point is very valid. i mean, we're talking about an email client here, not an entire operating system. hotmail is as buggy as
outlook
express, and as for windows updates... well, i can honestly say that i'd rather patch windows myself, microsofts "updates" seem to cause more
problems
than they fix. perhaps outlook express is good. perhaps its not. i just found it funny that someone like yourself was actually using the product
given
its sullied reputation in the security industry.I wouldn't be protected against it if the details weren't made public
and
fixes made available to me. Just FYI blaming the industry for the proliferation of security info is not a very good way to look at this. Vendors should have written
secure
code in the first place, so such vulnerability information would never have
to be
distributed.incorrect. vendors are just human. do produce code that perfect you'd
end
up paying a whole lot more. my method works better. dont approach the whitehat community with your bug. go to the software developers directly. and no one else. that is, assuming you want to tell anyone at all...
which
i dont personally advocate but we have to be realistic here... some ppl wont let go of ethics, and i understand that. you're probably a good example.Let me provide you with a rather incredible piece of information on this subject -- the list will *never* be moderated. Plain and simple.you have said this a number of times. as have other people. its not all that incredible. really. in fact i'm starting to wonder if this is the only line of defence you whitehats have. to cling to your precious list and scream in a whiney voice "we're not leaving". hell, i dont expect you to. thats far to simple a solution.glad to see we have another supporter then.I'm not planning on leaving any time soon...thats the spirit! *hands you a pint* *takes it back* you _are_ old enough to drink in your state, right?These "phrack" idiots are spoiled children -- whine about everything,
and
act like they have some level of importance in the world by way of a pitiful
attempt
to destroy another sign of progress in information security.you dont read much do you, Matthew. i mean you're not into philosophy or sociology a whole lot are you, really. its a shame i dont have more time to explain in detail just how much of a difference the PHC will make in the long run. i'll try and make some time over the next few days to spell it all out for you. stay tuned :)You referred to the list (the list *named* "Full-Disclosure", btw) as a middle ground between those in support of Full-Disclosure and those who aren't.
I
don't think we would have named such at it is if it were a "middle
ground",
correct?definitions change. discussions on *Full-Disclosure* to date have already covered this phenomena. embrace change, Matthew, dont push it away.You don't have to be fighting a war to be determined, as is true in this case. I am (don't know about you) determined not to let a bunch of bored,
anti-
social losers force this list into moderation.if that comment is supposed to be directed at me in some way, then i must protest. i'm not bored. in fact i'm taking time off work to post here so i'd appreciate a bit more respect thanks. and the reason why i am so damned anti-social is because i work harder doing what i do than you ever will. going *outside* is not something one considers when they're working 24hr schedules inside.oh i agree. i'm much prefer to see this list turned into an
anti-whitehat
discussion list. seems like much more of an appropriate place than a
newer
list for sure. i mean, this list is much more known than a list thathasn'teven been created yet. and its audience is probably more likely to be
less
fearful of involving itself, than say, if this list were renamed to"WHITEHATHOLOCAUST". dont you agree?You won't have a whole ton of support on that one, I'm afraid...
(definitely
not any from me) :-)and i'm seeing this exemplified how? on the one hand you're saying you're
not
going to leave... on the other you say you're not going to support the
list...
i'm getting conflicting messages here, Matthew. -- __________________________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Yes?, (continued)
- Yes? Peter van den Heuvel (Aug 17)
- (no subject) full-disclosure () lists netsys com (Aug 16)
- (no subject) full-disclosure () lists netsys com (Aug 16)
- (no subject) sockz loves you (Aug 16)
- (no subject) Matthew Murphy (Aug 17)
- (no subject) sockz loves you (Aug 18)
- (no subject) Matthew Murphy (Aug 18)
- (no subject) Schmehl, Paul L (Aug 18)
- (no subject) sockz loves you (Aug 18)
- (no subject) M L Lynch [ SotG ] (Aug 18)
- (no subject) M L Lynch [ SotG ] (Aug 18)
- (no subject) sockz loves you (Aug 19)
- (no subject) Fred (Aug 19)
- (no subject) 5uddenly g0n3 in73l (Aug 19)
- (no subject) sockz loves you (Aug 19)
- Shiver me timbers. full-disclosure () lists netsys com (Aug 19)
- Shiver me timbers. Timothy J.Miller (Aug 19)
- Shiver me timbers. full-disclosure () lists netsys com (Aug 19)
- Shiver me timbers. Timothy J.Miller (Aug 19)
- Shiver me timbers. full-disclosure () lists netsys com (Aug 19)
- Shiver me timbers. Timothy J.Miller (Aug 19)
- Shiver me timbers. full-disclosure () lists netsys com (Aug 19)