Re: How Apple orchestrated web attack on researchers

[¯`·._The Sun_.·´¯ <sun () vakharia info>]

Greetings Ralph.
 
You bring up an interesting point.
 
The closest I have come across to what you are looking for is this paper: 
http://www.ftusecurity.com/pub/FiTechSummit_final_paper.pdf
 
The author has got a blog on this topic: http://www.bloginfosec.com/?author=1
 
Cheers,
Sun
P.S. I don't think any corporation can 'smash the reputation of' any security researcher. Building, sustaining and 
smashing of one's reputation is purely an individual's own responsibility.
 



> Date: Tue, 20 Mar 2007 10:10:57 -0700> From: rkl () blackops org> To: daniel () ugc-labs co uk; dailydave () lists 
> immunitysec com> Subject: Re: [Dailydave] How Apple orchestrated web attack on researchers> > This 
> argument/discussion has been going on for years. RE: l0pht vs. MS, etc.> > What I'd like to see is a scientific study 
> on the public stock data and the release of vulnerabilities by researchers and it's effect on a stock price.> > Does 
> anyone think to mention the amazing coincidence of ISS releasing a vulnerability just before the 
> Checkpoint/Sourcefire acquisition announcement, then later just before the IPO?> > Anyway, besides that I haven't 
> seen any verifiable data that shows causality of vulnerability release effecting stock price. If someone has done the 
> research, I'd love to read about it.> > Brand identification and protection is indeed paramount to any corporate 
> entity and now personal brand protection with Web 2.0's emergence into co-branding and micro-branding. So while it is 
> each stake-holder's job to protect and advance the brand don't you think that MS has done this in the past 8 yrs with 
> their commitment to security? This is not a question to begin a discussion on the fact, it is indeed fact when 
> considering their forward movement in this area.> > Regards,> > rkl> > Daniel (daniel () ugc-labs co uk) wrote:> > 
> Firstly I'm not a mac head, i use a tool call Apple. It has it's > > problems just like my Mamiya camera and my 
> toilet. Lets keep the > > insults down to a mature level yeah?> > > > > On 3/20/07, Daniel <daniel () ugc-labs co uk> 
> wrote:> > >> Tell me George, if you owned a mega corporation and you had two> > >> researchers threatening to drop a 
> few % from your share price, what> > >> would you do? Open up your arms, give them a free macbook and see> > >> 
> millions lost on the FTSE/Nasdaq?> > >> > > Yea, lets just lie about everything and cover it up. That always works> > 
> > out well....> > > > > > Again welcome to how business is done. 8/10 current top FTSE 100 > > companies today make 
> use of aggressive tactics to ensure survival, > > why is IT and this industry any different?> > >> > >> Apple's PR 
> protected the brand, same as Bush protected his brand and> > >> Billy G protected his brand. This is business 101 and 
> it's time for> > >> security and security researchers to realise the golden years are> > >> long gone in todays 
> litigation market. I can't just walk into Ford> > >> and say that all american cars are crap, blow up and kill 
> people> > >> without expecting some force, so why do researchers think they can> > >> get away with it with this "we 
> are protecting the world" approach?> > >> > > That comparison makes no sense at all. You are comparing two people> > 
> > finding a flaw in wireless drivers with blowing up and killing people.> > > > This is where you miss the point, 
> it's about BRAND PROTECTION. Yes > > the world would be much better if everyone was open, but that doesn't > > happen 
> in the real world. Oracle still bills it's database server as > > unbreakable, are they lying?> > >> > > Every 
> Machead I debate this with says the same thing. They argue about> > > how Full Disclosure is bad for everyone and how 
> all of us are wrong> > > and unethical for releasing flaws to the public if a company doesn't> > > patch a flaw in a 
> timely and appropriate manner. I'd like to remind> > > you that this isn't the first incident where Apple has lied to 
> the> > > public about the seriousness of a flaw to protect themselves.> > > > If you actually knew me, you know I 
> support full disclosure. I'm not > > some wet behind the "oooh mummy got me a hacking exposed book, i can > > hack 
> like Dave A now" kid, I've been in this damn industry for a long > > time now. I can give you countless other 
> examples of companies who > > have protected their brand like Apple have done. It's not right, it's > > not clever 
> but this has been happening since the early 1900's (Coke > > is good for you, can fix all your health problems, oooh 
> smoking > > hasn't killed anyone, Firestone tyres are totally safe USA!)> > > > > > >> > > You (and the rest of the 
> Apple community that thinks this way) need to> > > wake up. Would you rather us find flaws and keep them to ourselves 
> if> > > the vendor decides not to fix it?> > > > Again assumptions are being made about me. I've found flaws, I was > 
> > due to talk about them this month at EUSecWest but things happened > > that prevented me from doing so. I've spent 
> loads on lawyers and > > would have rather spent it on buying a new hasselblad. Do you know me > > at all?> > > > > 
> Thats how the blackhat community> > > works, they find flaws and keep them to themselves for later use. The> > > 
> blackhat community doesn't give a crap about what the corporations> > > think, they have no rules to abide by. If 
> they find a flaw, they keep> > > it to themselves and use it when they deem necessary.> > > > Educating anyone on 
> daily dave who actually has been on this list for > > longer than 1 year on how the "blackhat" community works is 
> funny. Us > > old farts remember gov-boi and the "blackhat" sites like hack.co.za, > > hell I even hosted the site 
> back in the day, so yes I'm fully aware > > of how this community works, again please stop thinking im 19 years old.> 
> > > > > There is a good> > > chance that a number of these flaws were already known by the blackhat> > > community. 
> Do you feel safe knowing that blackhats have their own> > > private collection of exploits that they can use against 
> you? Would> > > you rather they continue to have a collection of unpatched flaws?> > > Instead of binding the hands 
> of white hats with legal and political> > > garbage, you should be encouraging them to find and disclose flaws,> > > 
> not cover them up and hide them. People need to be aware of the risk> > > to their information.> > >> > > > Security 
> research has changed since the 90's, especially in modern > > america and europe. You cannot disclose information 
> today and not > > expect some legal challenge. David and Co found this out the hard > > way, which I do feel for 
> them. This is one reason I will never report > > on any issue i find anymore, It's not worth it.> > > > > Don't get 
> me wrong. I'm all for responsible disclosure, but Apple has> > > shown time and time again that they will not act 
> responsibly in> > > return. The community needs to be aware of the risks and if Apple> > > won't tell the truth, then 
> the community will.> > > > > > - Cisco> > - Microsoft> > - Lotus> > - Oracle> > > > Shall I go on? Hell ask Dave L or 
> Cesar about how responsible Oracle > > have been, I don't see any hate articles addressed to Mary Ann. > > Before i 
> retired from IT, 12 years of experience taught me that every > > damn IT company lies. Apple isn't doing something 
> new, why do you > > think RFP wrote his original policy back in the day?> > > > > > >> > > Blackhats already have the 
> advantage, why give them one more by> > > binding our hands? Do you REALLY want that risk?> > > > You have totally 
> missed the point of my mail. Everyone in this > > wireless cock-up handled it wrong. Dave and Co did it for the 
> media, > > Apple should have come clean and christ knows, BLOGGERS CAN'T be > > expected to have the same 
> journalistic integrity that traditional > > media does.> > > > This industry is at a crossroads. We need to grow up 
> and mature and > > realise that for every action there is a reaction. Companies are no > > longer willing to accept 
> some researcher blurting out some issue, no > > matter how serious it is, without taking into consideration the > > 
> financial implications.> > > > > > > > > > >> > > -- > > > Bow Sineath - bow.sineath () gmail com> > > > 
> _______________________________________________> > Dailydave mailing list> > Dailydave () lists immunitysec com> > 
> http://lists.immunitysec.com/mailman/listinfo/dailydave> > -- > They that can give up essential liberty> to purchase 
> a little temporary safety> deserve neither liberty or safety> -- Benjamin Franklin> > 
> _______________________________________________> Dailydave mailing list> Dailydave () lists immunitysec com> 
> http://lists.immunitysec.com/mailman/listinfo/dailydave
_________________________________________________________________
Check out some new online services at Windows Live Ideas—so new they haven’t even been officially released yet.
http://www.msnspecials.in/windowslive/

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave