Re: XSS at Citibank.co.uk

[Frank de Wit <frankdewit () home nl>]

i have read perhaps a thousand emails since 1995 or so about 
(full)disclosure... i hope i read them well enough... this is my first 
reaction to one (if i remember well)
i think Bob's email is short, accurate and (one of) the best...

if there's a bad product in the market, no matter what market
tell all your friends it's a bad product and tell them why you think 
that (proof would be nice instead of just feelings about people on a 
helpdesk ;-)
then tell all your friends what new better product you are using now and 
why it's better
and then stop talking about it... step back from the discussion and let 
everyone create their own opinion
producers of bad products will improve or... cease to exist, end of 
problem, some will die fast, some take more time (and a little help from 
us)...
we are always stronger than multinational companies and governments 
(large marketing machines are also expensive :-)

talking about disclosure is a question already answered too often, let's 
take it a step further now
-all information should be free and publically accessable for everyone-
       -i am the only one to decide what to read and what to say-

--
the next great task for mankind is to slow down...



bruen () coldrain net wrote:

> Hi Jim,
>
>  Besides the obvious, exactly why should Cisco or any other vendor in our
> business be shielded from public scrutiny on products which are faulty? I
> am sure that Merck would like to have kept Vioxx on the market, even
> though people died from it. I am just as sure that Guidant Corp did not
> want the problems with their pacemakers made public, so that they have to
> fix them for free. What about Ford Explorers and exploding tires? They
> can't even give them away today. Since there is no equivalent to Consumer
> Reports for us, we are left with public disclosure.
>
> If it is important enough to stop public disclosure of problems, then
> it's important enough for vendors to start taking responsbility for what
> they produce. The resources going into stopping public disclosure would be
> better used to help secure the products. Those lawyer fees would be a good
> start.
>
>                      regards, bob
>
>
> On Sun, 14 Aug 2005, Jim Duncan wrote:
>  
>
> > While any method of contact is better than none, may I suggest you check
> > the list of FIRST teams at http://www.first.org/ before posting
> > publicly?  While I can't guarantee any given organization will be a
> > member -- nor can I guarantee a response to the given address --
> > Citigroup is a long-time member of FIRST, and their first-team members
> > have demonstrated excellent responsiveness in the past.
> > snip... 
> > FIRST Steering Committee Member and FIRST.Org, Inc., Board of Directors
> >    
>
>  
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/