lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed Apr 19 10:26:01 2006
From: mattmurphy at kc.rr.com (Matthew Murphy)
Subject: Google Groups e-mail disclosure in plain text

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

n3td3v wrote:
[...]
> Furthermore, Secunia are the biggest "scene whore" professional
> website in the industry.

Uhh, dude... the scene and the industry are essentially two different
things.  There's no such thing as a "professional scene whore" unless
you're a) delusional or b) in Vegas.

> Theres nothing on their site that wasn't available via other public sources.

DUH.  It's called *competition*.  Should my neighborhood dollar store go
out of business because, DUH, it's all available at Wal-Mart anyway?
No.  We call those monopolies.  In the software industry, we call this
monopoly Microsoft.

Since you're so anti-corporate and all, you should already *know* that.
 That really takes an anti-corporate personality (or a lifetime in a
cave) to call me "pro-Microsoft", now doesn't it?  Especially amongst
people here, I'm a pretty tough-to-please Microsoft critic.

> With Secunia, its all about republish, republish, republish peoples shiz.

You're slighting Secunia.  At least Secunia does SOME original research.
 Further, the service that Secunia provides is one of centralization and
organization.  There are hundreds of points of delivery and discussion
for original research, Secunia itself being one of them.  Secunia,
SecurityTracker, and a whole load of other similar services make an
entire business out of mining those sources of information, *verifying*
it (and believe me, I've seen flat-out wrong vuln reports before), and
presenting it in a consistent, usable format.

Is it a simple, almost trivial chore?  Probably.  Is it tedious and time
consuming?  You bet.

If you'd ever administered a network with a few hundred or so machines
with (if you're lucky) a handful of other people on your staff, you'd
know.  Each individual business or institution with assets to secure
cannot feasibly afford the costs of doing independent intel gathering,
even with something as basic as an alerting service.  Otherwise, folk
like Secunia wouldn't have a market.

> And you want everyone to thank them for "secure" hosting? Don't kid a kidder...

Yeah... secure enough.  And, oh by the way... it's free.  Didn't your
mommy teach you how to say "thank you" like a good little boy when
strangers do nice things for you?

Or do you just extort favors from people with your six-machine botnet
from the latest Google Groups spam run?  We're really shakin' now.

> If they did something special with their website like Securityfocus
> does, then I might be able to bare their illegal footer message spam

"Illegal"?  What planet/drug are you on?  There's a small problem with
your "legal theory" here.  Secunia's sneaky footer insertion attack that
renders e-mails to F-D oh-so-totally useless has a perfectly legal
explanation, you see.  THEY OWN THE SERVER.  As in, you know, bought it,
paid for it, and maintain it?

I hope that's not too complicated for you.

Next time you feel like criticizing Secunia (or anyone else), try
finding a criticism that makes sense.

> and their scene whore republication of advisories they claim are
> Secunia exclusives.

I'm not going to be one to defend Secunia here, but I don't think they
claim that the raw information in MOST of their advisories is
"exclusive".  Granted, they sometimes make mistakes on crediting sources
and supplementing information, but I haven't heard them make a claim
that something public was "exclusive".  Even in the case of their own
research, they publicize it for the community and other normative
sources rip it off in turn.

The only semi-exclusive work they do (to my knowledge) is the data
plotting (charting, graphing, etc.) that examines a few trends (number
of advisories, risk levels of vulnerabilities, patches available, etc.)
for specific products.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB5444D38

iD8DBQFERgI+fp4vUrVETTgRAwqTAJ45cA9Xb93BnK6JpTN8TwImjXJZBQCgkaGc
jwrXILQi9IRBDd0M34hfY3c=
=ZZ3q
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3729 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060419/b9bc1fa7/smime.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ