lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
From: SMoyer at rgare.com (Moyer, Shawn)
Subject: it's all about timing

Comments inline. cc: to that "other" list deleted.

> Sure, HP's response has been harsh. But every security problem
> (especially when it's accompanied by an exploit) should be reported
> first to the vendor! There should be no exception from this rule. The
> person doing the reporting should give the vendor a 
> reasonable period of
> time to fix it; say, a few weeks or so.
> 
> Only if the vendor does nothing in these weeks, only then the
> report/exploit/whatever should be made public.

Riiight.... Great. But according to the (now-yanked) CNet article, Snosoft
started talked to HP *this spring*, and HP sat on their hands. So, if the
vendor gets several months notice, does exactly jack squat, and then the
vuln. leaks somehow, who do you blame? As Paul S. pointed out, nothing is
black and white, it's all just shades of grey. Me, I blame the vendor. For
fsck's sake, this thing works with a no-exec stack! How sad is that? And
these dorks wanted months and months to fix it? Who do they think they are,
ISC? [ ^_^ ] Sure, it shouldn't have leaked, but exactly how long *were*
they going to let every OSF/1 box out there be a sitting duck? At least now
I know to chmod 750 /bin/su and chown it root:wheel (a good practice
anyway). 



--shawn

Powered by blists - more mailing lists