Re: <Format-Fix> Re: Beyond black, white, and grey: the Yellow Hat

["democow the happy cow" <democowx86 () hotmail com>]

> From the desk of democow….

/*unfortunately for most of us we depend on someone else at some point to be 
as security minded on their systems as we are on our own, life doesn't 
always work out the way we would like. What is distressing though is seeing 
someone, specifically "hellnbak" who has! recently owned up to being one of 
the learned through using security lists, now groveling at the "phrick" feet 
*/

now in a little defense of hellnbak he did not show any support of #phrack 
he was on the other hand making comments on how the current manifestation of 
the infosec industry uses deceptive and one time flat out unethical  sales 
practices

although I do welcome his opinions

/*
awww shucks trying to cover your own "sell out behind". Posting what seemed 
to be a private email just to make yourself look sincere is beyond sad. 
Might know more than you care to admit about that back stabbing comment you 
made on a personal level eh? I have yet to see a contribution to this list 
from Steve aka hellnbak other than a lot of comments, and his often offered 
$0.2. How many times have you posted a fix for anything? */

and I hope he dosen’t…

/* Isn't that the argument of all security consultants? But back to my 
point, the above is quite a change from how "hellnbak" felt back in August: 
<snip>"Tell me, based on the PHC definition of a hacker -- one who breaks 
into boxes, are you a hacker? If so, then I have to thank you for the long 
term employment you have given me. You guys are not the solution, you are 
part of the problem. Maybe even the root cause.</snip> */

people tend to change their mind when they give a subject a second look, 
this may be true in the case of hellnbak.

We are using this list to convey our message, in our opinion that is the 
only good reason for this lists existence

/* "Several recent studi! es have shown that one in every 4 Americans 
suffers from some form of mental disorder.  Think about that, if  3 of your 
friends seem normal, then you must be the one."   */

i think that only applies to you mate

-

I would also like to add something new to this “debate” do any of you 
whitehats out there even consider what jackasses you are? When you discover 
a new class of vulnerability in software applications you post a information 
about it( buffer restriction problems..etc) that I don’t have a huge problem 
because it allows programmers to become more aware of problems they should 
try to avoid in their code.. but then you take software that people have 
worked very long and hard on and try to find miniscule problems within it 
then after you do that what do you do?

You post the problem on a mailing list or try to contact the people who made 
it, but if they don’t respond to you in the way YOU want them to, you 
slander them for it on mailing lists… one of the more recent examples that 
comes to mind is the IE ssl certificate authority issue that ms was not even 
contacted about

Now I know a some whitehats do contact the vendors in a more respectable 
manner now-a-days but as soon as the vendor sends out a patch they just 
choose to give out almost every little detail on how to exploit the problem 
to public lists.. sometimes even PoC code that is just an exploit that 
crashes the program in question, or runs some sort of  dumbed down shellcode 
is given out to the public.

Considering that there is almost no chance that every user of the vulnerable 
product had almost no time to patch the problem or be alerted of it… why do 
whitehats feel the need to let the public know how to take advantage of 
something like that? How is that improving security?

-democow
“a cow for every generation”






_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE* 
http://join.msn.com/?page=features/junkmail

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html