lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <41A81BBD.3080301@secnetops.com>
From: kf_lists at secnetops.com (kf_lists)
Subject: To anybody who's offended by my disclosure
 policy

Gadi Evron wrote:

> He is not a messenger, he is the executioner.

Nah... its more like Microsoft is one of the executioners... they lead 
all the sheep to slaughter every time they release a new piece of 
software. Skylined just reminded you of where they are taking you.

> How? How is he doing me a favor and why don't I have a problem with 
> other people who release vulnerabilities? You don't need a sixth sense 
> to guess that.

Hrmm... stop using their crappy products. Bitch at support staff / 
general managers QA team members. Hrmm go get a friggin petition signed, 
Boycott them.  I don't really care how you hold them accountable just 
stop bending over, spelling RUN out loud and then bitching at Skylined 
when you get screwed.

Hes doing you a favor because like half of the other folks on this list 
you were originally led to believe that this <insert bug name here> was 
nothing to worry about. He did you a favor because now while your vendor 
is claiming they knew nothing about it and doing the standard PR BS your 
AV vendor now has signatures and your IDS install can let you know you 
just got owned. He is the person that showed you that this nonexistant 
threat in reality was a threat. Maybe I am missing something.

You don't have a problem with other researchers because some of them are 
sheep of the same herd you flock in. Perhaps its because you sat in the 
dark vulnerable for months on end and had no clue that you had the 
potential of getting owned. You just got a little more comfort because 
you were notified that a patch was available at the same time you found 
out your browser was just a big pile. In reality you were a sitting duck 
like alot of other folks.

Just because a bug is not public or just because the vendor does not 
know about it certainly does not imply that someone else has not already 
found it and began exploiting it. Wake up and smell the napalm.

>     Gadi.
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ