| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: sockz at email.com (sockz loves you) Subject: (no subject) > Aye, it is idiotic business practices, but as much as it is the $companies > problem, it is also the users... as they are using the software with the > hole, and they must protect themselves and their clients. aye? what are you a pirate? i might also point out to the rest of this list that "fred" is in fact the same pirate as "M L Lynch"... don't want anyone getting mixed up on that point there. i dont see how a bug in the user's software is anything that a _user_ should be doing anything about. as i've said time and time again, if you think you've found a bug in your software, go to the software vendor to report it... not some open discussion list. if the dudes who make your software dont want to fix the damned thing THEN CHANGE F*CKING BRANDS! (where possible) > Ok, but if someone like me finds a major security hole in a widely used > system, chances are a great many $kiddles are already aware of the problem, > wether thru self discovery (hehe, yeah right), or thru over hearing > blackhats sharing info. some important notes here: 1. blackhats dont release their exploits to the rest of the community. any blackhat who does is no more a "hacker" than a whitehat is. just because you have malicious intent doesn't mean you're not a whitehat. and no, there is no such thing as a grey hat. 2. like you noted, script kiddies lack the intelligence and skillz to find their own bugs. they hear about 0-day exploitz through their friends from school, from "hacking" websites and so-called "hacker zines" which act in just the same manner as whitehat mailing lists like bugtraq, full disclosure, or vuln-dev. THIS IS WHERE THESE MORONS GET THEIR ELITE INFO FROM! NOT THE BLACKHAT COMMUNITY (which advocates exactly the opposite)! 3. SO, if you find a "major security hole" in some piece of software, and dont know how to fix it yourself, then CONTACT YOUR VENDOR! i mean, dude, its not that hard a concept to grasp. alternatively you can muster the intelligence to fix the bug yourself, and then use it to compromise other people's machines. > By releasing the exploit it allows two things, > > 1) Experience system administrators to devise temporary hacks to work around > the bug until it is properly fixed. (and lets say no one did know about the > exploit, I would lay money an experienced sys-admin could right a correction > hack faster then most $kiddles could figure out how to turn a proof of > concept in to something dangerous... or even compile some of then :p ) i dont see how this would be any different if you didn't report the bug to the software developers alone. > 2) It gives the $company motivation to fix the problem, where there was no > motivation before... why would a mega-$company fix a bug if in their mind no > one knew about it? they don't care... release info on the bug.. and proof of > concept, and you question their reputation... this will get most $companies > moving. wow. cuz its like this dude. smaller software companies are worried about their reputation and larger companies are worried about their investors. any company that didn't listen to something like that would be down right stupid. it seems like i'm running around in circles here. i mean, i must have ex- plained this to you five times in completely different ways. WHERE AM I LOSING YOU?! > Anyway, I am dribbling... thats way to easy... > Cheers ah-hoy, matey! -- __________________________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup
Powered by blists - more mailing lists