lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1104399367.7918.19.camel@gibson>
From: barrie at reboot-robot.net (Barrie Dempster)
Subject: Multiple Backdoors found in eEye Products
	(IRISand SecureIIS)

I'd have to agree with the eEye statement on this one. You sent out an
advisory without disclosing the details, which offers no real benefit to
anyone. Many people consider this responsible disclosure but that also
requires you to notify the vendor (there were no @eeye.com's in your
"to" list but there were a couple of press mailboxes).

You didn't contact eEye, you didn't release details, you used an
anonymous address and failed to mention or credit any of the other guys
in your "testing team", This can only lead us to believe that the
advisory is fake and only intended to generate bad press for eEye. I
personally don't care about eEye's PR rating but I do care about the
level of noise on these lists and I do care about backdoor-ed commercial
products that are in common use. You may have an issue with eEye and see
this as revenge. However, I doubt you also have an issue with the many
admins who probably have spent their holiday season investigating these
claims, when there are likely more pressing matters to address, such as
a large stock of alcohol.

Show us details, or be quiet. If you intended to embarrass eEye the plan
backfired as any competent professional on this list (there are a few -
I've heard stories about them) would see this as a shameful attempt and
would be laughing at you, not eEye.

Seasons greetings to eEye and all Full Disclosure subscribers - even you
"Lance Gusto".

With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue

  http://www.bsrf.org.uk

[ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]




-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041230/47c0b61e/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ