lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: 3APA3A at SECURITY.NNOV.RU (3APA3A)
Subject: Correction to latest Colsaire advisories

Dear advisories,

--Tuesday, September 14, 2004, 2:03:31 PM, you wrote to full-disclosure@...ts.netsys.com:


a> It's always good to be correct(ness).

a> At  the  time  the  research was conducted (August 2003) we obviously
a> looked   around   for  as  much  information  as  possible  prior  to
a> commencing. There were a number of individual MIME issues around, but
a> most  were  single-product vulnerabilities. If the 3APA3A white paper
a> you  refer  to  was  in  existence  at  this  time, it was not one we
a> encountered.

http://www.google.com/search?q=content+filtering+bypass

It  was  very  hard  _not_ to find this whitepaper (and few more issues,
BTW, I need to update it :-) .

a> It has also been recently updated to include the latest
a> information, so I can not comment on its previous content.

This is content of initial post (February, 2002):

http://www.securityfocus.com/archive/1/256619
http://www.securiteam.com/securitynews/5DP0I206AY.html

I teach first year students to Google search. Do you want to hire me?

a> The Corsaire research project produced test cases for around 200 working
a> attack vectors, that when passed through the top 10 content products
a> produced over 800 individual vulnerabilities (needless to point out that
a> there are a lot more than 10 products in this arena).

And lot more than 200 attack vectors.

This  is a really serious work for serious company. Of cause, poor, busy
and  tired  3APA3A  can  not do it alone. 80% of his attempts to contact
vendors  with the cry to test their products failed. Your work is really
great,  but:  I  see  no  results  of  your  work:  a list of vulnerable
products.

200  x  10  table is 3 screens of data. Why not to publish it instead of
~10  uninformative  advisories? What is impact of this advisories except
self-advertising?  I  have  some  experience  in  this area, but I can't
identify  exact  problems  from  provided  information  except  issues I
already  know.  How  this  information  helps  vendors  to  secure their
products?  How  can  you  prevent  same  bugs  from  appearing in future
products  if  you  do  not  disclosure details? Should they all buy your
services to get more detailed information?

-- 
~/ZARAZA
??????? ?? ?????? ???, ?? ????????? ????????????. ??????????? ??? ?. (????)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ