Full Disclosure mailing list archives
Re: Re: [WEB SECURITY] Cross Site Scripting in Google
From: n3td3v <xploitable () gmail com>
Date: Thu, 6 Jul 2006 18:46:43 +0100
On 7/6/06, Martin O'Neal <martin.oneal () corsaire com> wrote:
> my opinion is that full disclosure is not for vendors .. > it's for users. full disclosure is for us to know how to > react on certain threads. Which is just fine if you are technically competent to understand the threat, and there is also a valid mitigating strategy you can employ immediately. For the vast majority of situations though, this just isn't the case. The users are not technically competent enough to understand the true threat posed by an entry on a news group (which are generally hopelessly incomplete and/or factually inaccurate) and then this is coupled with a vulnerable product that may be essential, difficult to protect, and a stable official fix that may be weeks or months away from delivery. I personally also believe in full disclosure, but it has to be delivered in a responsible fashion. Dispatching vulnerabilities to a public list without even attempting to contact the vendor is clearly not in the best interest of the vendors nor the great majority of the user base. Martin...
Theres more complexed issues to take into consideration which are hiding under the surface. While I respect you folks are thinking on a professiona, responsible and politcally correct notin, its not always as clear cut as that. Folks like "nsnake" a lot of the time don't give a crap about the vedor or the knock on effect their disclosure might have, a lot of the time a disclosure is attention driven. Also, theres cases where the user has already contacted the vendor and has been given bad treatment in the eyes of the researcher. This is when a user might go onto a list to try and scare a vendor back into talks with the researcher, by showing the vendor you're more than willing to spill all to the public. Finally, I wouldn't go judging folks and their competence, because you cannot tell straight off what a user knows from reading their advisory. It is easy for folks to use a nickname and carefully craft a bad advisory presentation and give inaccurate information with the disclosure. Remember, the researcher hasn't always got your best interests at heart, nor the interest to prove a level of competence to an open audience. The days of trying to be elite infront of folks is fading, thats the old scene. The new scene is money, and self agenda driven, than proving yourself to the vendor or wider security community. Sure, nsnake could very well be a dumb ass, but i wouldn't straight away jump to conclusions. Generally, anyone who has found this list and is reading it, has a default level of competence, more than a lot of professionals realise. You the professional, just take for granted that you are the expert, and the people throwing you advisories are dumbasses, unless they meet your criteria of what you expect someone who knows what they're talking about should look like. Its not always clear cut, and you don't know the background a lot of the time why the advisory has been released, who originally found the vulnerability, off list arguments between members of the security community or (and) the vendor. Don't expect people to be on your side, and be civil towards you, even if the person is more than capable of being such in a real life environment. Take what you are given by researchers and don't bite the hand that feeds you. Once you bite the hand, its unlikely he'll be able to throw you more information, if he hasn't got his hand anymore. Either that, or he just won't want to give you more information, if SCR (security community relations) have been dashed by a select few on a mailing list who decided to determine and infulence his/hers style of disclosure and what, if any technical knowledge that researcher has, purely on your correspondance between the researcher and professional. Remember, sometimes, the researcher doesn't want to play along with your technical discussion, and would rather confuse or conceal the true skill set of the researcher to the enemy. (Yes a lot of the time, in the mind of the researcher you are known as the enemy, and he doesn't give a rats ass what you think)... Thanks, n3td3v _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RE: Re: [WEB SECURITY] Cross Site Scripting in Google Martin O'Neal (Jul 06)
- Re: Re: [WEB SECURITY] Cross Site Scripting in Google ad () heapoverflow com (Jul 06)
- Re: Re: [WEB SECURITY] Cross Site Scripting in Google n3td3v (Jul 06)
- Re: Re: [WEB SECURITY] Cross Site Scripting in Google n3td3v (Jul 06)
- <Possible follow-ups>
- RE: Re: [WEB SECURITY] Cross Site Scripting in Google Mike Duncan (Jul 07)
- Re: Re: [WEB SECURITY] Cross Site Scripting in Google Peter Dawson (Jul 07)
- Re: Re: [WEB SECURITY] Cross Site Scripting in Google nocfed (Jul 07)
- RE: Re: [WEB SECURITY] Cross Site Scripting in Google tcp fin (Jul 11)
- RE: Re: [WEB SECURITY] Cross Site Scripting in Google PPowenski (Jul 11)
- Re: Re: [WEB SECURITY] Cross Site Scripting in Google ad () heapoverflow com (Jul 06)