lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <F313SOlbpH71yEXUIEA0001e9f5@hotmail.com>
From: democowx86 at hotmail.com (democow the happy cow)
Subject: <Format-Fix> Re: Beyond black, white, and grey: the
 Yellow Hat




>From the desk of democow….

/*unfortunately for most of us we depend on someone else at some point to be 
as security minded on their systems as we are on our own, life doesn't 
always work out the way we would like. What is distressing though is seeing 
someone, specifically "hellnbak" who has! recently owned up to being one of 
the learned through using security lists, now groveling at the "phrick" feet 
*/

now in a little defense of hellnbak he did not show any support of #phrack 
he was on the other hand making comments on how the current manifestation of 
the infosec industry uses deceptive and one time flat out unethical  sales 
practices

although I do welcome his opinions

/*
awww shucks trying to cover your own "sell out behind". Posting what seemed 
to be a private email just to make yourself look sincere is beyond sad. 
Might know more than you care to admit about that back stabbing comment you 
made on a personal level eh? I have yet to see a contribution to this list 
from Steve aka hellnbak other than a lot of comments, and his often offered 
$0.2. How many times have you posted a fix for anything? */

and I hope he dosen’t…

/* Isn't that the argument of all security consultants? But back to my 
point, the above is quite a change from how "hellnbak" felt back in August: 
<snip>"Tell me, based on the PHC definition of a hacker -- one who breaks 
into boxes, are you a hacker? If so, then I have to thank you for the long 
term employment you have given me. You guys are not the solution, you are 
part of the problem. Maybe even the root cause.</snip> */

people tend to change their mind when they give a subject a second look, 
this may be true in the case of hellnbak.

We are using this list to convey our message, in our opinion that is the 
only good reason for this lists existence

/* "Several recent studi! es have shown that one in every 4 Americans 
suffers from some form of mental disorder.  Think about that, if  3 of your 
friends seem normal, then you must be the one."   */

i think that only applies to you mate

-

I would also like to add something new to this “debate” do any of you 
whitehats out there even consider what jackasses you are? When you discover 
a new class of vulnerability in software applications you post a information 
about it( buffer restriction problems..etc) that I don’t have a huge problem 
because it allows programmers to become more aware of problems they should 
try to avoid in their code.. but then you take software that people have 
worked very long and hard on and try to find miniscule problems within it 
then after you do that what do you do?

You post the problem on a mailing list or try to contact the people who made 
it, but if they don’t respond to you in the way YOU want them to, you 
slander them for it on mailing lists… one of the more recent examples that 
comes to mind is the IE ssl certificate authority issue that ms was not even 
contacted about

Now I know a some whitehats do contact the vendors in a more respectable 
manner now-a-days but as soon as the vendor sends out a patch they just 
choose to give out almost every little detail on how to exploit the problem 
to public lists.. sometimes even PoC code that is just an exploit that 
crashes the program in question, or runs some sort of  dumbed down shellcode 
is given out to the public.

Considering that there is almost no chance that every user of the vulnerable 
product had almost no time to patch the problem or be alerted of it… why do 
whitehats feel the need to let the public know how to take advantage of 
something like that? How is that improving security?

-democow
“a cow for every generation”






_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE* 
http://join.msn.com/?page=features/junkmail


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ