Full Disclosure mailing list archives

Re: Internet Explorer User Interface Races, Redeux


From: n3td3v <n3td3v () gmail com>
Date: Thu, 27 Apr 2006 18:44:25 +0100

On 4/27/06, Antczak, Ed <Ed.Antczak () fnf com> wrote:
Thanks for the email header lesson.
Basics, or complex analysis is part of what makes postings worth
reading.

Yes, he's young, immature. He -is- releasing to the script kiddie
community of FD legitimate Microsoft product vulnerabilities, which
everyone is greatful. However, the blantant targeting of the media
(Robert Lemos) via his "VENDOR RESPONSE" paragraphs will decrease his
mad hax0r points credibility in the underground and also the
professional circuit. Yes, he's a genius, yes hes great, but drop the
media audience target of your advisories and you won't have the likes
of n3td3v ID's running amock on your legitimate Microsoft advisories.
As for the showing off of "look I understand e-mail headers" thing,
that wasn't even needed, all everyone had to do was look at the link,
and you would know it was a Robert Lemos look alike. And if you had
been paying attention Matty boy, you would have seen it wasn't the
first time the Robert Lemos look a like had appeared. And the previous
Look a like post actually acknowledged it as such. Ha! then your
immaturity ran further by saying, "as if Robert Lemos would have a
Yahoo accout. Hehe, his Yahoo account is "robert_lemos" but if you had
read the Robert Lemos Fan Club Blog, you would have seen the post I
made about it. As for you "being a contact" knowing his e-mail
address. Thats laughable. I've been emailing him from for years and
i.ming him on Yahoo Messenger for years. So muchf or your "inside
knowledge" of how to contact Robert Lemos, ha ha ha.

You're a clever guy (Matty) but theres elements of your advisories you
need to touch up, like the artificial creation of Microsoft Security
Response Center drama, whcih you're hopeful the media will pick up on!
No one gives a shit if one college student thinks Microsoft's
disclosure to patch tuesday cycle is too slow for your liking. You
report the vulnerability to Microsoft, and then its out of your hands.
Microsoft can sit on the vulnerability for years if they so choose to
do so, its not the position of the bug finder to infulence and change
corporate security policies and never will be. Yes, sure Microsoft
take months to tell the public about a vulnerability you report, so
what, who gives a shit,a nd why should you? Unless your primary goal
isn't to research Microsoft product vulnerabilities and alert them to
a flaw, and really, you're just after the world stage of Microsoft
announing a flaw to everyone via their website, just so you can get
off for five minutes of fame. Its not about the media, its not about
fame, its not about everyone knowing what a great guy you are, its
about alerting a vendor in private of an issue, and moving on. Why
care if Microsoft release a patch? You told them about it, its the
most you can do, they decide when to release a patch or tell the
public about it, via their own strategies, it will always be out of
the control of the bug finder. I was like you once, I used to cream at
Google and Yahoo for not patching something, but then once I spoke to
the guys involved, I realised, its not about security, its about
choosing a good time to bury bad news, and of course, the queuing
system of whose flaw gets more attention first is down to money, and
the risk to profit, not how critical the bug finder decides the
vulnerability is, but security professionals, deciding on priority on
the basis of what makes business sense, not on the basis of what makes
sense to a bug finder, who is wetting his pants at the opportunity to
get acknowledged in public, by one of the biggest software makers in
the world.

Regards, n3td3v

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Current thread: