lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200407061823.i66INBXY021539@mail.soporte.cl>
From: rodrigo at intellicomp.cl (Rodrigo Gutierrez)
Subject: Gmail Information Disclosure Vulnerability

Full as in "full" means FULL, the very purpose of this list is to allow
people posting their findings without being moderated by people like you.

 

PS:  do not disrespect M$, keep your advisories private bitches!

 

Regards

 

Rodrigo.-

  _____  

De: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] En nombre de System Outage
Enviado el: Lunes, 05 de Julio de 2004 12:00
Para: full-disclosure@...ts.netsys.com
Asunto: Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability


If it's about posting advisories, why do many decide to post the exploit
along with the advisory. To me this is not a responsible thing to do.
Whoever knows how many script kiddies are sleeping on this list and taking
advantage of the free exploit giveaway's seen here.
 
10 days isn't an awful long time and the vendor never made primary contact
with the user in question. Meaning, for whatever reason the e-mail may not
have been delivered and because of this the Gmail Team could easily of been
caught short on this issue and a serious hole exposed to the public, before
the vendor (Gmail) has had a chance to scramble together an incident
response and get the hole patched out, before a serious number of account's
become compromised on the service.
 
There is a difference between responsible "Full Disclosure" and
irresponsible "Full Disclosure".
 
 
Cheerio
 
 


Tremaine <tremaine@...il.com> wrote:

It's about posting security advisories. The initial poster advises
they notified the gmail team, and posted this advisory 10 days later.

It is immaterial whether an application is in alpha, beta or
production. If the software or application is in use outside the
development team, and there is a security issue, it is relevant to
this list.


It's called Full Disclosure for a reason... not partial disclosure,
not disclosure of production applications only... Full Disclosure.

If you want partial disclosure, you may need to rethink your
subscription to the list.



-- 
Tremaine
IT Security Consultant


----- Original Message -----
From: System Outage 
Date: Mon, 5 Jul 2004 06:46:42 -0700 (PDT)
Subject: Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability
To: full-disclosure@...ts.netsys.com


If it's not about respect then what is it about? 

You have no respect for the Gmail Team, that's for sure.

I guess this list isn't about respect...

It's about kiddies posting advisories and exploits for fun and little
care for the vendor(s).


Cheerio




amforward@...lsurf.com wrote:
System Outage wrote:

|The correct channel to post such "bugs" is the Gmail contact link for "bug 
|reports". 

I have already contacted Gmail about 10 days ago, but I have not received
any 
replies till this moment.

|If you had waited until the Gmail dev team declared gmail a public release,

|you would have gained more respect in the security community scene.

I don't think this is about respect afterall.

Regards,
Ahmed Motaz

------------------------------------------------------
Mailsurf.com your communication portal for SMS,
Email, Fax, E-C! ards and more. www.mailsurf.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040706/596640cd/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ