Re: GUNINSKI THE SELF-PROMOTER

["mattmurphy () kc rr com" <mattmurphy () kc rr com>]

I must first say that I delayed in responding to this, because I was trying
to decide if there was any way I could actually take this laughable post
seriously.  I've decided I couldn't conceivably believe that the poster was
being serious, as there was not one accurate fact in the entire post.  My
responses are in the original poster's order for clarity's sake.

dhtml () hush com wrote:
> > You may remember that Guninski completely failed to notify the VIM
> > development team of security vulnerabilities in its product, and 
> > these were brought up by a third party on VIM-DEV for the first time.  
> > I would have understood CC'ing the major security lists with the post 
> > *in addition to* vim-dev, as it *is* a public channel.
>
> I certainly don't remember that. Seems Georgi  said:
>
> " Vendor status: vim.org and some vendors were notified on Mon, 25 Nov
> 2002"
>
> After releasing it on Thu, 12 Dec 2002. I think I will believe Georgi's
> version. Not yours.

And it seems Georgi lied.  The VIM mailing lists, and all mailing lists
hosted at the mailing list archive (MARC) site (Full-Disclosure, BugTraq,
vim-dev, etc.), not one post appears by Guninski from July to December.

> > After all, Guninski has not produced an advisory detailing a security
> > vulnerability of any kind in a Microsoft product since July 31, 
> > 2002, so what right does he have to say that trustworthy computing is 
> > a flop?
> >
> > Clearly, Georgi Guninski couldn't get a job, and relying on the 
> > Apache 1.3 descriptor leak (shudders), or perhaps a local 
> > command execution bug in vim, or worse, a format string in the 
> > Etheral socks dissector, wouldn't get him anywhere.  So, he has 
> > slanted every story he could get a hold of, turning a non-issue of 
> > one-month delays into ridiculous, childish, kiddies' rhetoric about 
> > MS' irresponsibility.  Even funnier is that while he was
> > making a major deal out of MS security being unresponsive, he wasn't
> > even notifying open-source vendors of security vulnerabilities!
>
> Your transparent and sudden "love affair" with Microsoft and "responsible
> disclosure" doesn't fool us Matthew.  It is you that is desperately
> seeking employment and the louder you shout, the better chances you think
> you may have. Oh Matthew. You turncoat you.

"Turncoat" is not the term I would use, just "educated".  My
Full-Disclosure obsession (and that's what some would call it), came from a
bad experience with MS in my *first ever* bug report, where I ignored
concepts like potential impact in favor of presuming that Microsoft was
deliberately neglecting the issue.  From then on, I was biased.

After having dealt with MSRC on several more occasions, I realize that MSRC
really is serious about resolving these vulnerabilities.  And, after all, I
wouldn't have my own business plans if I were "desperately seeking
employment".  Personally, I am no fan of people who bring their personal
agendas onto the list, and I wouldn't do this myself.

> > Also, Bruce Schneier has little or no room to talk, as his "Password
> > Safe" tool was unable to keep local passwords safe, let alone a large
> > product base of network applications:
> Please. You're embarrassing yourself. Matthew Murphy, wannabe virus writer.
> Why not skip on back to alt.comp.virus.source.code to try and figure it
> all out before taking on Schneier. Matthew, Matthew, Matthew you'd spin
> around like a little girl in the vortex of his knowledge should he even
> fart in your direction.

I won't deny that Schneier knows his stuff when it comes to encryption, but
I think his statement that security vulnerabilities can be completely
eliminated if we want to is silly, and perfectionist in nature.  What I was
trying to say, is that regardless of how good Schneier is, he too has had
his slip ups.  Every major network application that is widely deployed
today has had, or will have, a major vulnerability of some kind.

> HAHAHAHA  sig of the year:
>
> "Bruce Schneier has little or no room to talk"
> - - MATTHEW MURPHY - CODE RIPPER, JULY 15 2003

This ridiculous accusation is addressed below, since the original poster
does not know how to keep a conversation flowing...

> > I also ask you to take into account the fact that altering a mindset
> > takes time.  Security vulnerabilities were all but ignored in the early
> > days of single-user non-networked Win16.  Those early days are the source
> > of some of the Win32 message routines implicated in the recent "Shatter"
> > attacks.
> >
> > Microsoft has had to work against buggy base code, and teams of developers
> > who were never taught a bit about security.  Essentially, Microsoft
> > is working against its own history.  For a company of Microsoft's size,
> > this is not easy.  For all of the work that requires, I'd say that
> > Microsoft is doing a damn good job.
>
> Keep it up Matthew, they'll come a recruiting soon enough.

I sense a pattern here: Your brain is too small to respond with accurate
statements, so you take little cheap shots that can never be exhaustively
proven to be either true or false, as they involve my future planning.

> For shits and giggles here are two of Matthew "Bruce Schneier has little
> or no room to talk" Murphy's code rips:
>
> 1. DoS in Multiple IE Versions (Self-Referenced Directives) Date: 2002-
> 04-20
>
> "[description snipped]
> - ---- [ CRASH.HTM ] ----
> <OBJECT DATA="CRASH.HTM" TYPE="text/html"></OBJECT>
> - ---- [ CRASH.HTM ] ----
> [description snipped]"
>
> Gosh, this was discovered in March 1998 by Abe L. Getchell. Even the
> named html is almost the same LoL!
> [code/description snipped]

Truth be told, Getchell's 1998 exploit no longer works in IE 6.0, not sure
about other supported versions.  The only error caused by Getchell's
exploit was that the status bar's progress bar never fills.  It appears
that Microsoft actually added a check to detect this attack.

However, my exploit, dated April 2002, still works against IE 6.0 SP1
today.  Why is this?  Because the check only is invoked when a null data
type is used (e.g, TYPE="", or no TYPE property).  IE does not actually
check for loops in the event that an explicit type is specified, as an
external processing library is actually invoked.

> 2. Microsoft Outlook Express Spoofable File Extensions Vulnerability
> http://www.securityfocus.com/bid/5277 published Jul 20, 2002
>
> You "pinched" ;-) that one from virus writer, Simon Vallor, Outlook GenKit:
>
>    "malware.JPG              .EXE                  .JPG"
>
> Problem there is, Simon pinched it from bugtraq already in the archives
> back in  August, 2001 which is what is generator was created for.
>
> http://www.securityfocus.com/archive/1/157279/2003-07-13/2003-07-19/2
>
> Content-Type: image/gif; charset=us-ascii
> Content-Transfer-Encoding: 7bit
> Content-Disposition: attachment;
> filename="nicepic.gif[spaces snipped].vbs.gif"
>
> set WshShell = WScript.CreateObject("WScript.Shell")
> WshShell.Run("telnet.exe")

Surprise, wrong again!  While Shane Hird's original example, and the
resulting exploit in Simon Vallor's code generator, both manipulate the
mechanism that determines the icon for the attached file, my examples
proved that it was possibly to bury executable attachments, or simply
manipulate their file names:

someimage.txt.[spaces]vbs.

For instance, opens in WSH, but appears as a standard text file.  The two
exploits use similar techniques, but are not exactly the same.  Perhaps I
could have better searched for this, and assigned credit for the varied
discovery to Shane Hird, however, it is not a direct "rip" as you claim.

> Lord alone knows what else you have been helping yourself to Matthew.
> No worries there mate, you'll fit in well with Microsoft once they come
> a calling

This has already been disproven before -- old baggage.  You clearly had a
bruised ego after hearing the truth about the situation (as you, like many
others, including Georgi Guninski, are inherently biased against Microsoft).

> Are you still 14? Seems like ages. But you'll hopefully grow up one day.
>
> Cheers Big Ears! :D

Ha!  If anybody needs to grow up, it is yourself.  You've yet to provide
anything of value to the list, so I don't have much sympathy for you.

> Oh. and p.s. - feel free to help yourself to anything else you might
> fancy. "Pad" the resume for Microsoft you see ;-)

My resume requires no padding at all -- it can actually secure a job based
on its real merit only -- if/when I'm searching for a job, that is. :-)

--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html