Full Disclosure mailing list archives
Re: Gmail/Yahoo!
From: System Outage <system_outage () yahoo com>
Date: Mon, 5 Jul 2004 14:01:52 -0700 (PDT)
My e-penis fux Yahoo! Security Team. Cheerio Geoffrey Huntley <ghuntley () gmail com> wrote: my e-penis is > your e-penis Give it a break dude. ----- Original Message ----- From: System Outage Date: Mon, 5 Jul 2004 12:54:05 -0700 (PDT) Subject: Re: [Full-disclosure] Gmail/Yahoo! To: full-disclosure () lists netsys com Yeah, i've contacted the Yahoo! Security Team over the past 1/2 years with various issues that they -did- follow up and patch, but did not once think to tell me about progress. It was only after I spoke to a representative of Yahoo! Security and said I was going to post all the underground security issues with Yahoo! to FD, that I received an e-mail to say sorry that we didn't contact you. We've been reading -all- mails are we've been taking further action(s), after all this time. I thought Yahoo! Security had been ignoring me, but the issues were being patched and that's all that matters at the end of the day. Although I did think it was bad mannered of Yahoo! representatives to treat users who provide them with valuable information, to be felt like 2nd class. I guess the same may apply for Google Security Team. After all, Yahoo! and Google were very good partners, up until recently. Google and Yahoo! seem to have very quickly become rivals, with regards of Search and E-mail. The things I could tell FD about Yahoo! would rock the Yahoo! Security Team to it's foundations (and they know it). Luckily for them, I have morals. Yahoo! are aware of who I am, even though they know me on another alias. Cheerio Maarten wrote: On Monday 05 July 2004 18:00, System Outage wrote:
If it's about posting advisories, why do many decide to post the exploit along with the advisory. To me this is not a responsible thing to do. Whoever knows how many script kiddies are sleeping on this list and taking advantage of the free exploit giveaway's seen here.
Can we please not have this discussion again ? Even IF you have a valid point, this list was conceived to include PoC code, despite the possible evil consequences. Read the list archives for lots more discussion on this.
10 days isn't an awful long time and the vendor never made primary contact with the user in question. Meaning, for whatever reason the e-mail may not have been delivered and because of this the Gmail Team could easily of been caught short on this issue and a seri!
ous hole exposed to the public, before
the vendor (Gmail) has had a chance to scramble together an incident response and get the hole patched out, before a serious number of account's become compromised on the service.
Ten days is more than enough for them to answer "Yes we received your mail / Yes we're looking into it, it will take some time before we have an update." Maybe not for microsoft, but what can you do when you receive no reply at all? And if the email actually did not reach them, all the more reason to post to this list. How else do you suggest that people become aware of an issue? Besides, the hole isn't that serious, so where's the fire anyway ? Maarten -- Yes of course I'm sure it's the red cable. I guarante[^%!/+)F#0c|'NO CARRIER _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Current thread:
- Re: Gmail/Yahoo! System Outage (Jul 05)
- <Possible follow-ups>
- Re: Gmail/Yahoo! System Outage (Jul 05)