Full Disclosure mailing list archives
RE: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release
From: "Richard M. Smith" <rms () computerbytesman com>
Date: Wed, 29 Jan 2003 18:36:42 -0500
Web bugs and cookies are more in the realm of privacy problems and I don't really see them as security issues. Most of the security problems that I have worked on deal with ActiveX controls that allow programs to be run and files to be written from Web pages and HTML email messages. Pretty much the same area that Georgi works in. I first wrote about the security problems with ActiveX controls in the April 1997 in an editorial for Visual Basic Programmer's Journal: ActiveX Security is Everyone's Business http://www.fawcette.com/archives/premier/mgznarch/vbpj/1997/04apr97/opin ion.pdf A few weeks ago, I found yet another ActiveX control that came pre-installed on my new Sony laptop that allows programs to be executed with arguments from a JavaScript program running in a Web page. I sent the software vendor a copy of my 6 year article because it still makes sense today. Richard PS. What's with the personal attacks? -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of backed.up.by.2048.bit.encryption () hushmail com Sent: Wednesday, January 29, 2003 5:14 PM To: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] [Secure Network Operations, Inc.] Full Disclosure != Exploit Release -----BEGIN PGP SIGNED MESSAGE----- Probably because none of them were terrible important or interesting. Didn't they all revolve around "web bugs" or "cookies" and "supercookies" and the like? Essentially "stupid pet tricks"? Hardly enough to give a script kiddy an erection? Definitely not in the same league as Georgi Guninski's findings and absolutely not in David Litchfield's. - ----- Original Message ----- From: Richard M. Smith
One problem with anyone making private exploits is that they always seem to get leaked, no matter who it is.
I've written at least a dozen proof-of-concept examples for security holes. I've given these examples to vendors and shared them with friends and other security researchers. I'm not aware of any of them being made public. In addition, I serious doubt that any of the examples are of much use to anyone except to the vendor who messed up in the first place. Vendors probably find the bulk of security holes and I seriously doubt many of these problems have proof-of-concept code published for them. OTOH we know that public proof-of-concept examples are going to get into the wrong hands. Richard -----BEGIN PGP SIGNATURE----- Version: Hush 2.2 (Java) Note: This signature can be verified at https://www.hushtools.com/verify wnUEARECADUFAj44UZcuHGJhY2tlZC51cC5ieS4yMDQ4LmJpdC5lbmNyeXB0aW9uQGh1 c2htYWlsLmNvbQAKCRDEHQGvBp4eRHrmAJkB+xIhEUWPfNXVbYEqAQNBHgA1dQCfRKdh tkxti9byVRWQemicBGq8X+c= =VHyZ -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Re: Full Disclosure != Exploit Release, (continued)
- RE: Re: Full Disclosure != Exploit Release Richard M. Smith (Jan 29)
- Re: Re: Full Disclosure != Exploit Release Georgi Guninski (Jan 29)
- Re: Re: Full Disclosure != Exploit Release KF (Jan 29)
- Re: Re: Full Disclosure != Exploit Release Blue Boar (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release ATD (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Georgi Guninski (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Strategic Reconnaissance Team (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Florian Weimer (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Strategic Reconnaissance Team (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release backed . up . by . 2048 . bit . encryption (Jan 29)
- RE: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Richard M. Smith (Jan 29)
- RE: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Ron DuFresne (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Kevin Spett (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Day Jay (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release hellNbak (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Kevin Spett (Jan 29)
- RE: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Richard M. Smith (Jan 29)