lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: backed.up.by.2048.bit.encryption at hushmail.com (backed.up.by.2048.bit.encryption@...hmail.com)
Subject: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release

-----BEGIN PGP SIGNED MESSAGE-----


On Wed, 29 Jan 2003 15:36:42 -0800 "Richard M. Smith" <rms@...puterbytesman.com> wrote:
>Web bugs and cookies are more in the realm of privacy problems and
>I
>don't really see them as security issues.
>
>Most of the security problems that I have worked on deal with ActiveX
>controls that allow programs to be run and files to be written from
>Web
>pages and HTML email messages.


Well, where are they. All I can think of was a few proprietary controls in HP or some other vendors device that you originally discovered. Hardly a basis for your lofty claims that you have never had a problem with your advisories.

What was it HP and this Sony now?

>Pretty much the same area that Georgi
>works in.

Versus your dozen and your claim
>
>I first wrote about the security problems with ActiveX controls
>in the
>April 1997 in an editorial for Visual Basic Programmer's Journal:

Everyone has been writing about it long before 1997, in fact all the classic original rogue controlswere prior to your article, again your information taken from other people's work. No wonder you have been sniffing around all week asking ludicrious questions "is there any exploit code for the worm" "what's the size of the morris worm" and on on and. DO you ever do any original work?


>
>A few weeks ago, I found yet another ActiveX control that came
>pre-installed on my new Sony laptop that allows programs to be executed
>with arguments from a JavaScript program running in a Web page.
> I sent
>the software vendor a copy of my 6 year article because it still
>makes
>sense today.


Great. Now you can claim 13 exploits. Hardly.



>PS.  What's with the personal attacks?

I am repulsed by your grandstanding. Your lofty claims which can very easily be shown to be nothing more than hot air, but more so your ringmaster attitude in calling Litchfield to center stage today.

I don't think you have the history or the credibility to parade around like you do. Re-read your "I've written at least a dozen proof-of-concept" it is dripping with conceit.

Remember this? Nothing has changed -


All of the hype appeared to come from a single source: Richard M. Smith, then-president of Phar Lap Software, who discovered an obscure bug in Netscape Navigator 3.0. Smith admitted he held no credentials in the subfields of computer security at the time. (He is now an Internet privacy expert. See below.) But a lack of credentials didn't stop him from chastizing legit experts who wanted to dispel the Good Times hoax virus alert (see related link). In a public CompuServe message addressed to NCSA expert Mich Kabay, Smith proclaimed:
"Talk about bad timing for these so-called "experts"! Last weekend I discovered an HTML attachment that will crash the Email reader in the Windows 95 version of Netscape Navigator. Its the good time virus for real...."
Genuine virus experts admonished Smith for breathing new life into the Good Times hoax. They also critiqued his claims about the bug's threat potential -- and they admonished Smith for using the term "virus" to describe either the bug or the security threat it posed.



>
>-----Original Message-----
>From: full-disclosure-admin@...ts.netsys.com
>[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of
>backed.up.by.2048.bit.encryption@...hmail.com
>Sent: Wednesday, January 29, 2003 5:14 PM
>To: full-disclosure@...ts.netsys.com
>Subject: Re: [Full-Disclosure] [Secure Network Operations, Inc.]
>Full
>Disclosure != Exploit Release
>
>
>
>-----BEGIN PGP SIGNED MESSAGE-----
>
>Probably because none of them were terrible important or interesting.
>Didn't they all revolve around "web bugs" or "cookies" and
>"supercookies" and the like? Essentially "stupid pet tricks"?
>
>Hardly enough to give a script kiddy an erection?
>
>Definitely not in the same league as Georgi Guninski's findings
>and
>absolutely not in David Litchfield's.
>
>- ----- Original Message -----
>From: Richard M. Smith
>
>>>> One problem with anyone making private exploits is that
> >>> they always seem to get leaked, no matter who it is.
>
>I've written at least a dozen proof-of-concept examples for security
>holes.  I've given these examples to vendors and shared them with
>friends and other security researchers.  I'm not aware of any of
>them
>being made public.  In addition, I serious doubt that any of the
>examples are of much use to anyone except to the vendor who messed
>up in
>the first place.
>
>Vendors probably find the bulk of security holes and I seriously
>doubt
>many of these problems have proof-of-concept code published for
>them.
>
>OTOH we know that public proof-of-concept examples are going to
>get into
>the wrong hands.
>
>Richard
>-----BEGIN PGP SIGNATURE-----
>Version: Hush 2.2 (Java)
>Note: This signature can be verified at https://www.hushtools.com/verify
>
>wnUEARECADUFAj44UZcuHGJhY2tlZC51cC5ieS4yMDQ4LmJpdC5lbmNyeXB0aW9uQGh1
>c2htYWlsLmNvbQAKCRDEHQGvBp4eRHrmAJkB+xIhEUWPfNXVbYEqAQNBHgA1dQCfRKdh
>tkxti9byVRWQemicBGq8X+c=
>=VHyZ
>-----END PGP SIGNATURE-----
>
>
>
>
>Concerned about your privacy? Follow this link to get
>FREE encrypted email: https://www.hushmail.com/?l=2
>
>Big $$$ to be made with the HushMail Affiliate Program:
>https://www.hushmail.com/about.php?subloc=affiliate&l=427
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wnUEARECADUFAj44dewuHGJhY2tlZC51cC5ieS4yMDQ4LmJpdC5lbmNyeXB0aW9uQGh1
c2htYWlsLmNvbQAKCRDEHQGvBp4eRGTyAKCsfq2Bj4HWCLwLEfrwMBbKOe29JQCggbK4
YeGd7Pa6QDJUrT8DPXpsaYc=
=IVao
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2 

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ