[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200402111544.i1BFi6qE000338@mailserver2.hushmail.com>
From: macmanus at hushmail.com (macmanus@...hmail.com)
Subject: EEYE: Microsoft ASN.1 Library Bit String Heap Corruption
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
bothered that you were giving people a road map to the exploit.
>
>Here I was wondering why a security vendor would be increasing the
>risk
>model
Increasing the "risk model" by giving people more information? Are you
kidding? Are you lost? On the wrong list maybe?
by releasing details which will save the "bad guys" weeks
>of
>research on the day of the patch release, giving the "good guys"
>even
>less time to regression test this patch in their environment and
>>
>mitigate any harmful side effects.
>
>Seriously, I think as a firm in the security industry that touts
>>
>themselves as an enterprise network protector you owe the community
>an
>explanation as to what value the information in these bulletins
>have.
If by that you mean the community owes them thanks for publishing these
findings...
>How many of your customers have been directly affected by worms
>which
>have spawned from information you have provided?
Your good guys/bad guys logic is very convincing... you're right clearly
it is better keep it all a secret so no one knows the problems and no
one can fix them or implement work arounds until these companies finally
get around to issueing patches.
Nothing in this bulletin helps me mitigate
>>
>this vulnerability, unless I am writing my own IDS rules
Wow! you are quick! With information like this you can write ids rules
and firewall rules and all kinds of magic fixes.
>
>I am all for full-disclosure, but that doesn't have to mean immediate
>>
>disclosure, understanding the potential harm in what you are doing
>and
>adjusting your ego boosting email release cycle to match it would
>do us
>all some good. Do I want you to stop releasing bulletins about
>>
>vulnerabilities? No. Do I want you to wait to release academically
>>
>valuable research info which might help others either avoid creating
>>
>such flaws in their code or find such flaws that already exist?
>Yes.
You're very demanding, there Paul. Full disclosure, no. Partial disclosure
when its already too late to do anything about it, yes. (Yeah that would
be a great world.) Do this do that. How about you do something useful
and quit whining when you end up having to do a little more work.
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3
wkYEARECAAYFAkAqTfIACgkQMqw+bEM+0IzoygCdHKgX7VC40za2fWmYiHtqwYruiwkA
mwaP/zp/x5fR7NnKqm/SsrhXDQKk
=0s4u
-----END PGP SIGNATURE-----
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434
Promote security and make money with the Hushmail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
Powered by blists - more mailing lists