Dailydave mailing list archives
Re: How Apple orchestrated web attack on researchers
From: ¯`·._The Sun_.·´¯ <sun () vakharia info>
Date: Wed, 21 Mar 2007 11:18:13 +0530
Greetings Ralph. You bring up an interesting point. The closest I have come across to what you are looking for is this paper: http://www.ftusecurity.com/pub/FiTechSummit_final_paper.pdf The author has got a blog on this topic: http://www.bloginfosec.com/?author=1 Cheers, Sun P.S. I don't think any corporation can 'smash the reputation of' any security researcher. Building, sustaining and smashing of one's reputation is purely an individual's own responsibility.
Date: Tue, 20 Mar 2007 10:10:57 -0700> From: rkl () blackops org> To: daniel () ugc-labs co uk; dailydave () lists immunitysec com> Subject: Re: [Dailydave] How Apple orchestrated web attack on researchers> > This argument/discussion has been going on for years. RE: l0pht vs. MS, etc.> > What I'd like to see is a scientific study on the public stock data and the release of vulnerabilities by researchers and it's effect on a stock price.> > Does anyone think to mention the amazing coincidence of ISS releasing a vulnerability just before the Checkpoint/Sourcefire acquisition announcement, then later just before the IPO?> > Anyway, besides that I haven't seen any verifiable data that shows causality of vulnerability release effecting stock price. If someone has done the research, I'd love to read about it.> > Brand identification and protection is indeed paramount to any corporate entity and now personal brand protection with Web 2.0's emergence into co-branding and micro-branding. So while it is each stake-holder's job to protect and advance the brand don't you think that MS has done this in the past 8 yrs with their commitment to security? This is not a question to begin a discussion on the fact, it is indeed fact when considering their forward movement in this area.> > Regards,> > rkl> > Daniel (daniel () ugc-labs co uk) wrote:> > Firstly I'm not a mac head, i use a tool call Apple. It has it's > > problems just like my Mamiya camera and my toilet. Lets keep the > > insults down to a mature level yeah?> > > > > On 3/20/07, Daniel <daniel () ugc-labs co uk> wrote:> > >> Tell me George, if you owned a mega corporation and you had two> > >> researchers threatening to drop a few % from your share price, what> > >> would you do? Open up your arms, give them a free macbook and see> > >> millions lost on the FTSE/Nasdaq?> > >> > > Yea, lets just lie about everything and cover it up. That always works> >out well....> > > > > > Again welcome to how business is done. 8/10 current top FTSE 100 > > companies today makeuse of aggressive tactics to ensure survival, > > why is IT and this industry any different?> > >> > >> Apple's PR protected the brand, same as Bush protected his brand and> > >> Billy G protected his brand. This is business 101 and it's time for> > >> security and security researchers to realise the golden years are> > >> long gone in todays litigation market. I can't just walk into Ford> > >> and say that all american cars are crap, blow up and kill people> > >> without expecting some force, so why do researchers think they can> > >> get away with it with this "we are protecting the world" approach?> > >> > > That comparison makes no sense at all. You are comparing two people> >finding a flaw in wireless drivers with blowing up and killing people.> > > > This is where you miss the point,it's about BRAND PROTECTION. Yes > > the world would be much better if everyone was open, but that doesn't > > happen in the real world. Oracle still bills it's database server as > > unbreakable, are they lying?> > >> > > Every Machead I debate this with says the same thing. They argue about> > > how Full Disclosure is bad for everyone and how all of us are wrong> > > and unethical for releasing flaws to the public if a company doesn't> > > patch a flaw in a timely and appropriate manner. I'd like to remind> > > you that this isn't the first incident where Apple has lied to the> > > public about the seriousness of a flaw to protect themselves.> > > > If you actually knew me, you know I support full disclosure. I'm not > > some wet behind the "oooh mummy got me a hacking exposed book, i can > > hack like Dave A now" kid, I've been in this damn industry for a long > > time now. I can give you countless other examples of companies who > > have protected their brand like Apple have done. It's not right, it's > > not clever but this has been happening since the early 1900's (Coke > > is good for you, can fix all your health problems, oooh smoking > > hasn't killed anyone, Firestone tyres are totally safe USA!)> > > > > > >> > > You (and the rest of the Apple community that thinks this way) need to> > > wake up. Would you rather us find flaws and keep them to ourselves if> > > the vendor decides not to fix it?> > > > Again assumptions are being made about me. I've found flaws, I was >due to talk about them this month at EUSecWest but things happened > > that prevented me from doing so. I've spentloads on lawyers and > > would have rather spent it on buying a new hasselblad. Do you know me > > at all?> > > > > Thats how the blackhat community> > > works, they find flaws and keep them to themselves for later use. The> > > blackhat community doesn't give a crap about what the corporations> > > think, they have no rules to abide by. If they find a flaw, they keep> > > it to themselves and use it when they deem necessary.> > > > Educating anyone on daily dave who actually has been on this list for > > longer than 1 year on how the "blackhat" community works is funny. Us > > old farts remember gov-boi and the "blackhat" sites like hack.co.za, > > hell I even hosted the site back in the day, so yes I'm fully aware > > of how this community works, again please stop thinking im 19 years old.>There is a good> > > chance that a number of these flaws were already known by the blackhat> > > community.Do you feel safe knowing that blackhats have their own> > > private collection of exploits that they can use against you? Would> > > you rather they continue to have a collection of unpatched flaws?> > > Instead of binding the hands of white hats with legal and political> > > garbage, you should be encouraging them to find and disclose flaws,> > > not cover them up and hide them. People need to be aware of the risk> > > to their information.> > >> > > > Security research has changed since the 90's, especially in modern > > america and europe. You cannot disclose information today and not > > expect some legal challenge. David and Co found this out the hard > > way, which I do feel for them. This is one reason I will never report > > on any issue i find anymore, It's not worth it.> > > > > Don't get me wrong. I'm all for responsible disclosure, but Apple has> > > shown time and time again that they will not act responsibly in> > > return. The community needs to be aware of the risks and if Apple> > > won't tell the truth, then the community will.> > > > > > - Cisco> > - Microsoft> > - Lotus> > - Oracle> > > > Shall I go on? Hell ask Dave L or Cesar about how responsible Oracle > > have been, I don't see any hate articles addressed to Mary Ann. > > Before i retired from IT, 12 years of experience taught me that every > > damn IT company lies. Apple isn't doing something new, why do you > > think RFP wrote his original policy back in the day?> > > > > > >> > > Blackhats already have the advantage, why give them one more by> > > binding our hands? Do you REALLY want that risk?> > > > You have totally missed the point of my mail. Everyone in this > > wireless cock-up handled it wrong. Dave and Co did it for the media, > > Apple should have come clean and christ knows, BLOGGERS CAN'T be > > expected to have the same journalistic integrity that traditional > > media does.> > > > This industry is at a crossroads. We need to grow up and mature and > > realise that for every action there is a reaction. Companies are no > > longer willing to accept some researcher blurting out some issue, no > > matter how serious it is, without taking into consideration the > > financial implications.> > > > > > > > > > >> > > -- > > > Bow Sineath - bow.sineath () gmail com> > > > _______________________________________________> > Dailydave mailing list> > Dailydave () lists immunitysec com> > http://lists.immunitysec.com/mailman/listinfo/dailydave> > -- > They that can give up essential liberty> to purchase a little temporary safety> deserve neither liberty or safety> -- Benjamin Franklin> > _______________________________________________> Dailydave mailing list> Dailydave () lists immunitysec com> http://lists.immunitysec.com/mailman/listinfo/dailydave
_________________________________________________________________ Check out some new online services at Windows Live Ideas—so new they haven’t even been officially released yet. http://www.msnspecials.in/windowslive/
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: How Apple orchestrated web attack on researchers george_ou (Mar 20)
- <Possible follow-ups>
- Re: How Apple orchestrated web attack on researchers ¯`· . _The Sun_ . ·´¯ (Mar 21)