lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <3F0BDBE4.7050504@nolog.org>
From: lists at nolog.org (Martin Peikert)
Subject: Re: Fwd: xbl vulnerabilty

Hello,

martin f krafft wrote:
> If you don't give us a name, we can't credit you. We will not say
> that "mysterious auto94042@...hmail.com found that..."

there was a discussion on pen-test about anonymity, so I won't start 
that here again. But maybe some of the arguments mentioned there are 
necessary to change your mind. I cannot see what the hell you need a 
"name" for.

> Sorry, anonymity only has a certain degree of utility.

Some arguments from the discussion (not a quote):
  rfp, mudge, Gwendolynn ferch Elydyr - are that names you would
  accept? How do you decide that a name or mail adress is fake -
  would a post from "Fook Yoo" be allowed? If it was
  fyoo@...mail.com, Fook_Yoo@...com?

So, IMHO at least you could tell the people that auto94042@...hmail.com 
found that vulnerability - it's *the author's* choice to give his real 
name, a name  - do you think you can proof that? - or simply nothing. 
You _do have_ the email adress.

GTi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ