lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 20 Mar 2013 18:56:58 +0100
From: Daniel Preussker <daniel@...ussker.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Deutsche Post Security Cup 2013

On 20.03.2013, at 14:59, Benji wrote:

> >>I think its getting ridiculous, if you don't have a name in the industry you're getting sued for the vast majority of bugs you solve...
> >>And on the other hand, those same companies give away 3-15.000 for a single bug if the researcher happens to be known :|
> 
> Examples please

Well for instance we got all those folks that got into trouble with jail-breaking all kinds of devices, I know this is not a bug per se but it still has a bad flavor to know that one aint allowed to do nothing with "his" hardware...
Then we got those governmental pages, who don't really care that people like us make their applications more secure... mostly even for free...
Here I remember the MTISC thing... MTISC was/is a client-page for ManTech (one of the Top weapon-systems engineer and deliverer for mostly any U.S.-Military). Somebody found out that "'OR 1=1" as username and password grants administrator level access on the site, making you able to get any invoice and delivery receipt (like Iraqi bases from the U.S.-military).. Well, I assume he had quite fun too...
Also PayPal, now they do bug-bounty, some time ago they were fairly pro-active with their lawyers if I remember right...

I've even had a threatening from a bavarian university because I informed them that having a root directory worldwide readable via apache2 fancyindexing aint so intelligent...

There are ofc a lot more examples, one individual I used to talk to was close to jail due to an SQL-Injectection disclosure...


I admit, I might have over exaggerated the situation a bit in rage.

Kind regards,

Daniel Preussker

[ Security Consultant, Network & Protocol Security and Cryptography
[ LPI & Novell Certified Linux Engineer and Researcher
[ +49 178 600 96 30
[ Daniel@...ussker.Net
[ http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x87E736968E490AA1
Download attachment "PGP.sig" of type "application/pgp-signature" (842 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ