Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Anonymized posting

From: "wirepair" <wirepair () roguemail net>
Date: Wed, 09 Jun 2004 13:15:17 -0800
I definitly find your points interesting, but what about people who just like to eff around and find stuff?
Then just release it, not for monetary gain, not really for fame, just for the fun of finding bugs? Does it
really matter if we disclose or don't disclose? I don't find bugs for any reason other than A. I'm bored 90%
of the time, and B. It's interesting and fun. I don't really think anyone needs to legitimize why they find bugs to anyone but themselves. Moving on to 'safe to use'. Shit nothing is safe to use, patches could blow the program up or bugs or kids or whatever fact of the matter is, Shit Breaks All the Time. -wire 

On Wed, 09 Jun 2004 17:04:50 -0400
 Dave Aitel <dave () immunitysec com> wrote:

Hi list!

http://security.e-matters.de/advisories/092004.html
More CVS bugs killed, bringing the number of published CVS bugs from e-matters (not that all were found by e-matters, but counting them as the originating point of the advisory) to eight. Unless I've missed some. 

The question now is - is CVS safe to use?
If you're killing bugs for fame (or because you used to be a hacker, and decided to do your part to ruin that wonderful experience for today's youth - you know who you are, and this isn't directed at a single person (but the single person that thinks it is should take this to heart)) you should probably find something a bit more noble to do with yourself. If the best you is to try destroying something you once loved, just because you've decided to grow up and no longer be a part of that, then you're simply an uninteresting person. Nothing more than a one trick pony. And while you might be great at that one trick, you're still generally a complete waste of humanity.
If you're killing bugs as a legitimate effort to make something secure, you need to realize that unless you can stand behind your releases and say that "this software is now secure" you aren't doing anything.
You might think that you are some sort of internet superhero, but unless you can actually give some sort of guarantee that the software is safe for use, you are nothing but another KF (by KF, I mean clueless idiot finding easy bugs for fame and obviously not being able to make a promise of security in an application after your audit) just making noise, hoping enough of the public is dumb enough to be impressed with your childish actions and bring a few dollars your way.
Probably the greatest thing that has happened with full disclosure efforts recently, was ISS and their proftpd bug. Most impressive was the exploitable bug introduced with the patch. Why this didn't get any real attention, I'm not sure. But a security company recommending to patch for a bug they found, with a bug they've written, is funny. And if they want to say it wasn't part of the patch they provided that's fine - it is still their obligation to their clients to say, "this patch is safe to use".
So, back to the point - will any representative of e-matters like to step forward and say, "CVS is safe to use"? Or are they going to sit idle and say, "sure, we found some bugs, but there could be more, we don't know!" and continue to blow smoke up the asses of the public?
Because, that's what this disclosure nonsense is all about, without someone having the balls to stand by their work and say they've provided security. 

In other news, the iDEFENSE squid advisory is worth laughing at.

http://lists.netsys.com/pipermail/full-disclosure/2004-June/022415.html
A friend and I were discussing the other night some modifications to these bullshit "disclosure guidelines". We'd like to see security companies only release advisories concerning default and widespread issues - anything else should just be silently fixed. If you can't come up with something interesting, stop trying to pretend that it is to sell your imaginary security services.
Back to the advisory itself - linking to a specific patch for the problem, and advising to "Recompile Squid-Proxy with NTLM handlers disabled." is funny. For those of you at iDEFENSE who don't understand why this is funny, if your clients have specifically built their Squid with that functionality, it almost certainly means they need that functionality! So, why not figure out how to actually use the patch and advise them to use that? Because, you're just blowing smoke up their asses for a few dollars too.
So, e-matters and iDEFENSE - care to step forward and make the bold claim of either product being safe to use? "Safer" doesn't really mean anything in the world of computer security, so claiming the publication of single bugs makes it safer is pretty sad sounding! 

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave


--
Visit Things From Another World for the best
comics, movies, toys, collectibles and more.
http://www.tfaw.com/?qt=wmf
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: