lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
From: dcopley at eEye.com (Drew Copley)
Subject: Second RE: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs

These things said, you did start the whole IE security
thing, really, though I think l0pht found some nice ones.

In a lot of ways you originated the whole field of looking
for configuration type errors. And, I do not know you,
that is correct. So, I can not speak for you. 

But you did use Windows. I do read your emails. 

But, I would say, you are extremely talented. I would say
the bugs you found, others did not find. The bugs you found,
while not overly technical in the sense of requiring deep
knowledge of ASM were, regardless, extremely difficult to
find. Even if some came easily, surely it took a lot of
work in the first place in order to understand how the
developers thought and find bugs in their software.

If you are going to say you did not spend a lot of
time finding these bugs, that they were extremely easy
to find and required no talent whatsoever... then say
that. I do not believe that, and likely, would not believe
it even if you believed it yourself.

And even that would not change the point that you used
Windows and IE. There is a lot of software out there you
never used at all. Therefore, you never would have tested
it.

I am not some new convert to Windows, I am not even a
convert. In a great many ways, I prefer Linux. 

But, none of that is the point. The point is just that
if people change, they should change because, say, Microsoft
has a really bad history of fixing issues... not because
actual bugs were found. Not out of fear.

Not when the bugs found are extremely difficult to find. Not
when they are being found by the same people.

Some people have the idea that there are a lot of Guninski's
out there. For instance. I would say this is not true. There
is too much reason to use full disclosure. The bugs are
too difficult to find. And, egos aside, bugfinders tend
to know and hang around other bugfinders. 

A huge motivator for using security bugs to hack systems
is ego, or fame, or whatever. This is entirely mitigated
by the full disclosure process. Another huge motivator
is money -- for some people. But these types of people are
smart enough to avoid all of the hassle of finding security
issues and can make money in just about any way they want
to. Quite often.

This leaves political or religious motives, really. And,
generally, if people are wrapped up in some kind of
serious fanaticism... the last thing they have time or
desire to do is to enter into bugfinding.

This is not to say that the scene will not be changing,
I am sure it will be. It already has been changing, slowly. 


> -----Original Message-----
> From: Drew Copley 
> Sent: Thursday, July 01, 2004 10:33 AM
> To: 'Georgi Guninski'
> Cc: full-disclosure@...ts.netsys.com
> Subject: RE: [Full-Disclosure] (IE/SCOB) Switching Software 
> Because of Bugs: Some Facts About Software and Security bugs
> 
>  
> 
> > -----Original Message-----
> > From: Georgi Guninski [mailto:guninski@...inski.com] 
> > Sent: Thursday, July 01, 2004 12:41 AM
> > To: Drew Copley
> > Cc: full-disclosure@...ts.netsys.com
> > Subject: Re: [Full-Disclosure] (IE/SCOB) Switching Software 
> > Because of Bugs: Some Facts About Software and Security bugs
> > 
> > your long post seems like an advanced FUD to me.
> 
> No, it comes from working in the software field... in development
> and QA...
> 
> "Fear, uncertainity, and doubt"? I said nothing scary... should
> not be scary to anyone... I surely said nothing which would
> make anyone "doubt", and I surely said nothing to make
> someone unsure -- so please do not falsely accuse me because
> you *think* I said something.
> 
> If you have a problem with something I say, please point it
> out. Otherwise, please do not slander me because you think
> you have a problem with something I have said. It seems you
> missed what I was saying and just skipped over everything.
> 
> I will be blunt and say, you must think I said something
> positive about Microsoft and not positive about open source. So,
> you are attacking me. However, I did not. 
> 
> So, please do not force me to waste my time to defend something
> I did not even say, that is really annoying.
> 
> 
> > 
> > according to your reasoning there should be a lot of worms 
> > and exploits for
> > apache because of its market share. fact is ii$ is plagued by 
> > worms and
> > exploits though it has a small market share.
> 
> That is not my reasoning.
> 
> That is not what I said.
> 
> Yes, Apache is an example of a really good software product. It
> has been really well tested. The last notable IIS bug, the
> chunked encoding bug from last year... was later cut and
> paste to test with Apache. It worked on Apache. Then, we tested
> it on Netscape Enterprise. It worked there. We might assume,
> therefore, since the same complicated bug was on each system
> and one of these systems was open source that... the bug
> came from Apache. But, so did the feature.
> 
> This bug was last Spring, though, late Spring. Yes, it was
> found by us, as most IIS bugs have been. Not that I like
> IIS...
> 
> These things said, it might be noted, the default landscape
> of both Apache and now, Windows 2003 IIS, are both extremely
> sparse. They do not have webdav or anything like this.
> 
> But, I am not sure why you are trying to put words in my
> mouth... 
> 
> You test Linux. You use Linux. You used to test Windows. You
> used to use Windows. I am sure you, no doubt, have serious
> hatred of Microsoft. That is extremely obvious. But, you have
> been attacked viciously by them in the press over and over
> again. No offense... just telling the truth as I see it...
> 
> 
> > 
> > On Wed, Jun 30, 2004 at 01:55:17PM -0700, Drew Copley wrote:
> > > There has been a great deal of talk about people
> > > switching to Mozilla because of this recent Internet
> > > Explorer issue. 
> > >
> > 
> >  
> >

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ