lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <81637804AB36A644BBDE3ED9DD4E73FDC66657@hermes.eCompany.gov> From: dcopley at eeye.com (Drew Copley) Subject: RE: new internet explorer exploit (was new worm) > -----Original Message----- > From: Valdis.Kletnieks@...edu [mailto:Valdis.Kletnieks@...edu] > Sent: Monday, March 29, 2004 5:27 PM > To: Drew Copley > Cc: Jelmer; full-disclosure@...ts.netsys.com; > bugtraq@...urityfocus.com > Subject: Re: [Full-Disclosure] RE: new internet explorer > exploit (was new worm) > > On Mon, 29 Mar 2004 17:14:12 PST, Drew Copley said: > > > > > > Has anybody offered the Microsoft dude who denied the > > > existence of 0-days > > > some ketchup for his fried crow? ;) > > > > I do not recall this quote. Such a quote would be patently > untrue even > > from the viewpoint of legitimate researchers that have open > bugs with > > them. Such bugs are "zero day", though the vendor may be > aware of them. > > http://news.bbc.co.uk/1/hi/technology/3485972.stm > > Sad part was that the CTO for their security business and > technology unit. > > And yes, he was widely derided for it. I missed this one! I am generally cynical of "black hat" claims. (But, then again, what real "black hat" is going to make any claim at all? You think these Russian guys stealing credit cards are making claims? Or, whoever the guilty party is?) [Not that criminals don't find an overwhelming need to brag about their efforts...] However, you can not prove a negative. You should not need anyone to tell you that, but if you try and seek the truth in all things -- you would come across this problem so often you would remember it. And, in security, you should never think "all is safe" or even worse, "there can never be a problem". In this man's case... this just downright scares me. The webdav exploit was huge, and it should have been scary. Why on earth would people not be alarmed at it? But, the very understanding of the security community should show everyone that it is and has been steadily growing all along. The knowledge is growing. These things are inevitable. I think we can also reason that these security bugs will be used. Look at the spyware field and these recent bank/cc stealing worms. Look at all of the wild political causes out there. You could hardly have a hotter pot to boil. **Last note: "hackers" are not "black hats". I hate the whole idea of people being classified as "good or evil" in that sense. That is not the way the word has been used within the development field, within the administration field, nor within the security community. I do not think a single bug finder out there wears a suit and tie to work. By their very nature they are unconventional thinkers.
Powered by blists - more mailing lists