lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sat, 18 Sep 2010 17:15:18 +0000
From: "Thor (Hammer of God)" <thor@...merofgod.com>
To: Pavel Kankovsky <peak@...o.troja.mff.cuni.cz>,
	"full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Nmap NOT VULNERABLE to Windows DLL Hijacking
 Vulnerability

I'm not sure that I (or other developers for that matter) appreciate being likened to a child with the associated innuendo of naiveté and ignorance.  Nor do I think you are qualified to make the assumption that MSFT is acting as my "parent" and that API calls are "grenades."  It's a documented API and is accompanied with clear security warnings.  

If you wish to engage in hyperbole, why not email God and ask him why Deadly Nightshade didn't come with warnings pre-printed on the leaves and why poison oak didn't grow with a "don't wipe your butt with this while camping" disclaimer?

APIs are APIs.  Pomegranates are Pomegranates.   It's people with mindsets like yours that turn "grenates" into grenades.  

t

>-----Original Message-----
>From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-
>bounces@...ts.grok.org.uk] On Behalf Of Pavel Kankovsky
>Sent: Saturday, September 18, 2010 9:21 AM
>To: full-disclosure@...ts.grok.org.uk
>Subject: Re: [Full-disclosure] Nmap NOT VULNERABLE to Windows DLL
>Hijacking Vulnerability
>
>On Wed, 8 Sep 2010, jf wrote:
>
>> I still don't see how this is really MSFTs fault. I mean, there's
>> defined APIs for getting the version, theres a fairly clear warning on
>> MSDN for LoadLibrary & SearchPath; isn't this akin to blaming the OS
>> vendor for the app vendor improperly using strcpy?
>
>Providing a very dangerous API to developers and advising them to avoid the
>most straightforward way of using it is like giving a hand grenade to kids and
>advising them to be very careful when they play with it.
>
>--
>Pavel Kankovsky aka Peak                          / Jeremiah 9:21        \
>"For death is come up into our MS Windows(tm)..." \ 21st century edition /
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ