Full Disclosure mailing list archives
(no subject)
From: full-disclosure () lists netsys com (Fred)
Date: Mon, 19 Aug 2002 18:39:50 +1000
"well then thats the company's problem isn't it. in a hypothetical situation like that you should be aiming your complaints not at the lack of a security industry but at the software developers idiotic business practices." Aye, it is idiotic business practices, but as much as it is the $companies problem, it is also the users... as they are using the software with the hole, and they must protect themselves and their clients. (btw although it was presented in a hypothetical manner, they mentioned situation has proven itself to be the real case too many times.) "not really. if the concept is out there but the vendor isn't going to do anything... then you're posing a greater security risk by having the vulnerability out there aren't you. forcing vendors to fix bugs by threatening to make those bugs public is a poor solution to shoddy workplace practices." Ok, but if someone like me finds a major security hole in a widely used system, chances are a great many $kiddles are already aware of the problem, wether thru self discovery (hehe, yeah right), or thru over hearing blackhats sharing info. By releasing the exploit it allows two things, 1) Experience system administrators to devise temporary hacks to work around the bug until it is properly fixed. (and lets say no one did know about the exploit, I would lay money an experienced sys-admin could right a correction hack faster then most $kiddles could figure out how to turn a proof of concept in to something dangerous... or even compile some of then :p ) 2) It gives the $company motivation to fix the problem, where there was no motivation before... why would a mega-$company fix a bug if in their mind no one knew about it? they don't care... release info on the bug.. and proof of concept, and you question their reputation... this will get most $companies moving. Anyway, I am dribbling... Cheers ----- Original Message ----- From: "sockz loves you" <sockz () email com> To: <full-disclosure () lists netsys com> Sent: Monday, August 19, 2002 5:20 PM Subject: Re: [Full-disclosure] (no subject)
----- Original Message ----- From: "M L Lynch [ SotG ]" <fred () the-debaters com> Date: Mon, 19 Aug 2002 15:38:12 +1000 To: <full-disclosure () lists netsys com> Subject: Re: [Full-disclosure] (no subject)If you ever find a major security bug in a major piece of software, such
as
M$ software, approaching the vendor directly does not work. Quite often
they
will just add it to the end of the list of complaints, and might get
around
to it in some future patch... if they feel like it... and if they think
the
security bug you found posses great risk, they still won't fix it till
they
feel like doing it.. instead, they now know who you are... and they take subtle yet effective precautions to make sure you don't tell anyone
about
it. I know.well then thats the company's problem isn't it. in a hypothetical
situation like that you should be aiming your complaints not at the lack of a security industry but at the software developers idiotic business practices.
Atleast if proof of concept is out there, and the risk is publicly
known,
they have some motivation to fix it, and the users of the product can
take
precautions to get around the bug until it is fixed.not really. if the concept is out there but the vendor isn't going to do
anything... then you're posing a greater security risk by having the vulnerability out there aren't you. forcing vendors to fix bugs by threatening to make those bugs public is a poor solution to shoddy workplace practices.
Anyway, my thoughts.interesting none the lessCheerslikewise -- __________________________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- (no subject), (continued)
- (no subject) full-disclosure () lists netsys com (Aug 16)
- (no subject) sockz loves you (Aug 16)
- (no subject) Matthew Murphy (Aug 17)
- (no subject) sockz loves you (Aug 18)
- (no subject) Matthew Murphy (Aug 18)
- (no subject) Schmehl, Paul L (Aug 18)
- (no subject) sockz loves you (Aug 18)
- (no subject) M L Lynch [ SotG ] (Aug 18)
- (no subject) M L Lynch [ SotG ] (Aug 18)
- (no subject) sockz loves you (Aug 19)
- (no subject) Fred (Aug 19)
- (no subject) 5uddenly g0n3 in73l (Aug 19)
- (no subject) sockz loves you (Aug 19)
- Shiver me timbers. full-disclosure () lists netsys com (Aug 19)
- Shiver me timbers. Timothy J.Miller (Aug 19)
- Shiver me timbers. full-disclosure () lists netsys com (Aug 19)
- Shiver me timbers. Timothy J.Miller (Aug 19)
- Shiver me timbers. full-disclosure () lists netsys com (Aug 19)
- Shiver me timbers. Timothy J.Miller (Aug 19)
- Shiver me timbers. full-disclosure () lists netsys com (Aug 19)
- Shiver me timbers. Ka (Aug 19)
- Shiver me timbers. full-disclosure () lists netsys com (Aug 19)