Bugtraq mailing list archives
Re: Submission
From: Georgi Guninski <guninski () GUNINSKI COM>
Date: Tue, 28 Nov 2000 17:01:00 +0200
I rarely reply to "lame shit" as defined by the anonymous author but since he offends me publicly I must reply. 1) Regarding my relations with AOL: Your conspiracy theory is wrong. I own a software company in Bulgaria. My company has a contract with AOL for finding bugs in Mozilla/Netscape 6. AOL pay my company only for finding bugs in Mozilla/Netscape and for nothing more. AOL does not require from me to find bugs in any other product or service. I have posted several vulnerabilities in Microsoft's product long before I had any relations with AOL. 2) I do not concentrate on Microsoft's products. I concentrate on Mozilla. If I really concentrate on Microsoft's products I suppose I would find much more vulnerabilities. 3) Do you think I am so exceptional to be the only one in the world to find these vulnerabilities? I believe I am not. 4) Would you prefer not to post anything to Bugtraq and on my web site? Would you feel safer then? 5) I think the security state of most of the software industry right now is extremely bad, reaching nightmare. But the problem are not people who discover the vulnerabilites but the people who ship the products/services with vulnerabilities. 6) Regarding vendor response times: on my site there are vulnerabilities which are not fixed for 4 months and still work. Georgi Guninski hellnbak () HUSHMAIL COM wrote:
Don't know if you post this kind of lame shit, but I thought I would toss this together and see what it comes up with. ------------------------------------------------------------------------ ------------------------------------------------------------------------ --- Vedor Response and Reporting Vulnerabilities. Written by: HellNbak (hellNbak () hushmail com) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- At risk of started the age old "Full Disclosure" debate again, I felt that I had to write this. It seems lately, that the so called security industry has lost its backbone. To quote a director of a popular security portal; "The whole thing is just sickening, I am waiting for someone to say something about it". Well, here is your someone. What is sickening you ask? The recent rash of advisories that contain the following text: "I had contacted the vendor 3 days ago but they have not fixed the problem". Then we will see a response from the vendor detailing how irresponsible and uncooperative the person has been and how they are trying to get a fix rolled out. Lets look at some of the recent Georgi Guninski advisories as these are the best example. Lets look at some message threads recently found on Bugtraq and Win2KSecAdvice. Thank you to Neohapsis for the excellent archive of these plus other lists. http://archives.neohapsis.com/archives/win2ksecadvice/2000-q4/0054.html http://archives.neohapsis.com/archives/win2ksecadvice/2000-q4/0055.html http://archives.neohapsis.com/archives/win2ksecadvice/2000-q4/0056.html The first URL set details a problem that Georgi found with a Microsoft product. Georgi decided that Microsoft needed only four (4) days to verify and fix the problem(s) he found. The message thread is a little interesting as Microsoft took the time to point out the level of cooperation recieved by Georgi. http://archives.neohapsis.com/archives/win2ksecadvice/2000-q4/0074.html This URL is another Georgi advisory, again only giving the vendor, who happens to be Microsoft again four (4) days to fix the problem. Lets refer to RFPolicy 2.0, http://www.wiretrip.net/rfp/policy.html. ------------------------------------------------------------------------ ------------ "B. The MAINTAINER is to be given 5 working days (in respects to the ORIGINATOR) from the DATE OF CONTACT; should no contact occur by the end of 5 working days, the ORIGINATOR should disclose the ISSUE. Should the MAINTAINER contact the ORIGINATOR within the 5 working days, it is at the discretion of the ORIGINATOR to delay disclosure past 5 working days. The decision to delay should be passed upon active communication between the ORIGINATOR and MAINTAINER. C. Requests from the MAINTAINER for help in reproducing problems or for additional information should be honored by the ORIGINATOR. The ORIGINATOR is encouraged to delay disclosure of the ISSUE if the MAINTAINER provides feasible reasons for requiring so. D. If the MAINTAINER goes beyond 5 working days without any communication to the ORIGINATOR, the ORIGINATOR may choose to disclose the ISSUE. The MAINTAINER is responsible for providing regular status updates (regarding the resolution of the ISSUE) at least once every 5 working days. E. In respect for the ORIGINATOR following this policy, the MAINTAINER is encouraged to provide proper credit to the ORIGINATOR for doing so. Failure to document credit to the ORIGINATOR may leave the ORIGINATOR unwilling to follow this policy with the same MAINTAINER on future issues, at the ORIGINATOR's discretion. Suggested (minimal) credit would be: "Credit to [ORIGINATOR] for disclosing the problem to [MAINTAINER]." F. The MAINTAINER is encouraged to coordinate a joint public release/disclosure with the ORIGINATOR, so that advisories of problem and resolution can be made available together." ------------------------------------------------------------------------ -------------------From reading this section of RFPolicy, it is clear that Georgi Guninskiwas not too far off of the mark by only giving Microsoft four days to respond. But was he really? Did Georgi cooperate with Microsoft? According to Microsoft he did not. Georgi himself claimed to not be required to work with Microsoft for free. Lets jump away from this for a minute so I can clarify a few things. A.) I am not a Microsoft employee or even all that pro-Microsoft. I am using Microsoft as my example as I do feel that they are treated unfairly by most when reporting vulnerabilities. B.) There is nothing forcing Georgi or anyone for that matter to follow RFPolicy, but the policy is a good idea and is very sound, so why not follow it. C.) This one is important, for those of you who do not know, Georgi Guninski is a security contractor. Currently, he is under contract with AOL/Netscape. Hmmmmmm...... OK, with that being said many of you are probably thinking that Georgi is not allowed to cooperate with Microsoft because of his job with Netscape/AOL. To be blunt, this is nothing more than a lame excuse. Companies work with their competitors over security holes constantly. In fact, I have seen advisories (the recent MS Network Monitor ones as an example) that contain issues worked on by two very competitive companies, ISS and NAI. Could one assume that Georgi is only releasing his vulnerabilities in this fashion because Microsoft is a competitor? What is Georgi's job description at Netscape? Why is Georgi only concentrating on Microsoft products? Something smells here, and for once it is not Microsoft. I am a supporter of full disclosure, or should I say RESPONSIBLE full disclosure. It seems to me that people like Georgi Guninski while they claim to support full disclosure obviously support it for reasons other than the good of the security community. A security professional has a responsibility to report issues to vendors and to work with vendors to solve them. Doing this gets you the security professional recognition from the vendor and looks great on a resume. Being irresponsible does not. I know a lot of you are probably thinking that this rant is pointed directly at Georgi and I guess it is as he is probably the largest offender. Georgi, take this message for what it is worth, you are no longer doing the security industry a service, you are letting people know that AOL/Netscape and their big pockets can take a once respected person and obviously very intelligent security professional and use them to do their bidding. Send your flames and comments to hellnbak () hushmail com
Current thread:
- Submission hellnbak (Nov 28)
- Re: Submission Ryan Russell (Nov 29)
- Re: Submission Georgi Guninski (Nov 29)
- Re: Submission Geo. (Nov 29)
- Re: Submission Gunther Birznieks (Nov 30)
- <Possible follow-ups>
- Re: Submission hellnbak (Nov 29)
- Re: Submission Georgi Guninski (Nov 30)
- Re: Submission Robert G. Ferrell (Nov 29)
- Re: Submission Scott Blake (Nov 30)
- Re: Submission aarhus (Nov 29)
- Re: Submission Rune Kristian Viken (Nov 30)
- Re: Submission Geoffrey Moon (Nov 30)
- Re: submission rain forest puppy (Nov 30)
(Thread continues...)