lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 10 Jun 2010 18:00:07 +0200
From: Tavis Ormandy <taviso@...xchg8b.com>
To: Susan Bradley <sbradcpa@...bell.net>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly

Susan, I wish I had the time to hold your hand through getting up to
speed on the disclosure debate. Instead, I would suggest starting with
the links in my advisory which were intended to give you enough
background to understand the issues involved (skip to the Notes section,
if you like).

As I cannot hope to speak as eloquently on the topic as Bruce, I will
not attempt to repeat them for you here.

If after researching the topic you still have questions, please let me
know.

Thanks, Tavis.

On Thu, Jun 10, 2010 at 08:36:09AM -0700, Susan Bradley wrote:
> I'm not an enterprise customer, but I am a mouthy female. So here's my 
> question back to you, for my education, how exactly did MSRC contact you 
> back? 
> 
> Since June 5th have you tried emailing back or any of your contacts from 
> past interactions and asked what was up?  I'm disappointed in this lack 
> of communication I see on both sides.  You are ...well... Tavis 
> Ormandy... I seriously doubt MSRC is blowing you off here.
> 
> Keep in mind we just had a LARGE patch week to deal with.  I don't know 
> what was going on on their side, nor making excuses as I don't know what 
> communication you've had in the past and had on this issue ... I'm just 
> saying I would have spent a little more time getting mad at them and 
> sent a lot more emails back to them before posting this.
> 
> (And try dealing with Microsoft licensing sometime if you think security 
> communication is lacking)
> 

-- 
-------------------------------------
taviso@...xchg8b.com | pgp encrypted mail preferred
-------------------------------------------------------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ