Full Disclosure mailing list archives
Re: F-Secure to release XSS "potential dangers"
From: n3td3v <xploitable () gmail com>
Date: Thu, 27 Jul 2006 09:12:43 +0000
On 7/27/06, Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu> wrote:
On Wed, 26 Jul 2006 19:06:11 -0000, n3td3v said: > This is highly irresponsible of F-Secure and they should be held > legally responsible if the information they release in relation to > their "Netscape hacked" blog entry is used maliciously. You might want to review what you've posted to lists regarding vulnerabilities, and ask yourself - if F-Secure gets held to some legal standard of liability. where do you end up yourself? I don't know who's going to end up the test case/poster child for vulnerability liability - but it's much more likely to be an individual that posts to this list and can't afford a lawyer than a corporation with deep pockets like F-Secure....
Someone has got to keep track of what corporations are saying and everything should be questioned. You say a corporation with deep pockets, but at the end of the day we're really just talking about individuals who work within corporations. The true intentions of a single employee may not have the same intentions as the corporation. Sure, once an individual employee makes a mistake that employee is protected by deep pockets of the corporate brand name. Does that mean n3td3v's aren't to ever question the wording of the stated blog entry, just because its a corporation "oh I wouldn't bother mentioning it, he works for a corporation!" It wasn't what he was saying, it was the way that he said it and the place (blog entry) he said it. I'm not about to let off individuals and not report them when I think something wrong is happening just because they work for a corporation. If anything because they work for a corporation is even more reason to report them. What i'm saying falls in-line with a long term interest I have and thats rogue employees within corporations, acting under the name of a corporation and in full knowledge if they do something wrong they will be protected by deep pockets. What you said about deep pockets of a corporation is half the problem of an overall problem of rogue employees within corporations. They play upto the fact they are working for a corporation. They exploit the fact they are in a corporation. They use the corporation to get ahead. Lots of them sell corporate data to outsiders for dollars. This is going on at many corporations. Theres lots of things I see, and lots of things I pick up on from little blog comments and instant message conversations I have with people. My slogan is and always has been: "Never trust your employees" People have said this is a harsh thing to say, but i've seen first hand whats really going on behind the scenes. There are so many people hiding deep within corporations thinking they aren't being detected, but its the little comments employees make that trigger off my suspicion to investigate that individual further over a prolonged period to see what else they are getting upto. These are (some) the things I look out for: When they are at work and think no one is watching, what do they say to people, what are they doing on corporate machines? Are they talking to questionable people and what is being said to them (I've seen employees hacking on corporate machines, and boasting about what they've just done over instant message) Little giveaway comments made on blogs and instant messages. A lot of the time people say little things by mistake which giveaway a bigger hidden agenda. Their activity when they get home at night and what they get upto. What are they doing when they get home? What are their social circles on the internet when they get home. Are these social circles questionable? What are their excuses for talking to these questionable people? Lots of the time the employee will use the excuse they are talking to questionable people to get intelligence for the corporation when they get caught by the corporations. And the corporation believe them. This is a prime example of exploiting their job position to openly talk to questionable people on questionable subjects in the open, without fear of getting into trouble if someone eavesdrops into a conversation with employee monitoring software or if someone copy's and pastes their conversation. There are other malpratice triggers i've not mentioned above to save e-mail space, but you get the idea. I will continue to keep an eye on corporate users and will report them to my mailing list and (or) Fool-Disclosure regardless of what people say. I've witnessed first hand malpratice, and I believe tracking down rogue employees and listening to some of the excuses they give their employer for the things they do and say, when i highlight what they are upto, is as much a buzz as finding bugs in software. I know the more people who report this stuff, the bigger the difference it makes overall. Rogue employees are high on the n3td3v agenda and will continue to be. If anyone would be suing F-Secure it would be Netscape, after F-Secure release their information they said they would to teach the Digg users how to attack Netscape.com better the next time they find a XSS hole in their service. Of course he will say he didn't mean it like that, but as far as i'm concerned he did, and thats why I reported it. Rogue employees, beware, you could be next, no one is safe from being reported by n3td3v. You could be next, no one will escape being reported to mailing lists by n3td3v. n3td3v is watching your internet activity, your instant messages, your e-mail and your social circles and the things you are hacking. To everyone else, bug hunting is as much a buzz as finding rogue employees and monitoring their activity and I encourage everyone to be paranoid about who you work beside and keep an eye on what they are doing. Valids, when you mentioned deep pockets, you hit the nail on the head why malicious users apply for jobs within corporations. The biggest threat to the internet today is rogue employees. They have the academic background, the knowledge, and the false sense of security on their corporate computers. Not all I've said relates to the F-Secure blog entry person, but it prolly does! Thats all i'm going to say right now on the subject. If you think you know a rogue employee and you can't be bothered monitoring them, e-mail me at xploitable () gmail com Trust no one and question everything. Rant done. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- F-Secure to release XSS "potential dangers" n3td3v (Jul 26)
- Re: F-Secure to release XSS "potential dangers" c0ntex (Jul 26)
- Re: F-Secure to release XSS "potential dangers" n3td3v (Jul 27)
- Re: F-Secure to release XSS "potential dangers" Dan B (Jul 27)
- Re: F-Secure to release XSS "potential dangers" n3td3v (Jul 27)
- Re: F-Secure to release XSS "potential dangers" xyberpix (Jul 28)
- Re: F-Secure to release XSS "potential dangers" n3td3v (Jul 27)
- Re: F-Secure to release XSS "potential dangers" c0ntex (Jul 26)
- Re: F-Secure to release XSS "potential dangers" Valdis . Kletnieks (Jul 26)
- Re: F-Secure to release XSS "potential dangers" n3td3v (Jul 27)
- Re: F-Secure to release XSS "potential dangers" c0ntex (Jul 27)
- RE: [lists] Re: F-Secure to release XSS "potential dangers" Curt Purdy (Jul 28)
- Re: F-Secure to release XSS "potential dangers" n3td3v (Jul 27)
- <Possible follow-ups>
- Re: F-Secure to release XSS "potential dangers" Mike M (Jul 26)