| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 22 Jan 2007 23:24:23 +0200
From: fanboy_macpwnie@...oo.co.uk
To: full-disclosure@...ts.grok.org.uk
Subject: Re: 'Rixstep still aren't as leet as they thought
they were'
<http://rixstep.com/2/20070121,00.shtml>
Oh it's been fixed all right - Mr Anonymous with the Bent didn't stay
around long enough to find out.
What's interesting of course is that Mr Anonymous 'backdated' the
advisory to make the company look bad. This is not 'full disclosure' -
this is the typical immature behaviour of an Apple fanboy.
He got excited on 15 January, did in fact find a bug, and then searched
the entire Rixstep site for mention of the product. The earliest he
could find was 23 November last year. So he 'backdated' his advisory to
the day after.
Unfortunately this cowardly fool didn't take the time to consider
several things.
- There are serial numbers on all SF advisories. Several dozen before
his are all dated 15 January 2007. It becomes obvious he's backdating.
- The product Mr Bent tested is not the product released on 23 November.
- Mr Bent would have the world think he actually contacted Rixstep
prior to going public with his 'nasty bug'. But in such case he got his
hands on a copy of a product two weeks prior to it being written.
As with Steve Jobs, Nancy Heinen, and Fred Anderson, backdating is
generally a Bad Idea(tm).
But the bug has indeed been fixed and Security Focus have been alerted
to the issue with the behaviour of this person and corrected the
appropriate records.
Basically all this proves is that this fanboy - behaving fanboyer than
others - has a sick mind - something most of us already knew. But now
it's out in the open. His goal was to make MOAB and Rixstep look bad
and in the end it's only he and his fanboy friends who look bad. Again,
very typical of the way things go for Apple fanboys.
The objective of full disclosure is to close security gaps in software
so users are not victimised. It is not to be able to strike back at
people like MOAB (or Rixstep who support their efforts) who dare
criticise their beloved platform.
Apple fanboys have attacked Brian Krebs, Dan Gillmor, Andrew Stone,
Avie Tevanian, George Ou, Kieren McCarthy - and now MOAB and Rixstep -
where other vendors such as Microsoft simply say 'yes we know; we are
going to fix it' and Microsoft software users take a calm and rational
stance to it all.
Wikipedia's definition of 'fanboy' is as follows.
'Fanboy is a term used to describe an individual (usually male though
the feminine version fangirl may be used for females) who is utterly
devoted to a single fannish subject or to a single point of view within
that subject, often to the point where it is considered an obsession.
Fanboys remain loyal to their particular obsession, disregarding any
factors that differ from their point of view. They are also typically
hateful to the opposing brand or competition of their obsession
regardless of its merits or achievements.'
You can't cure a fanboy just as you couldn't convince the citizens of
Jonestown to come home and save themselves - and they will become
aggressive to those who try to help them. Wiki's words are good here -
this is just a fact of life.
Bottom line? Rixstep are just as 'leet' as they claimed: their stance
is not merely that they write better code and do more QA than other
companies but that they're actively soliciting bug hunts - they won't
hide in the PR department like some other companies. If this is 'leet'
then all software companies should try to be as 'leet': software users
would only benefit.
Also of note is that the cowardly Mr Bent, attempting to take the
ethical high ground, still hides behind 'anonymity'. If everything were
so above board and he felt no shame and disgust at his behaviour - then
why hide? Rixstep do in fact offer rewards for people who find bugs -
and have given away two products already as a result - but they're not
about to give them to nasty anonymous Apple idiots.
This post has little relevance to FD but OTOH neither did any of the
rantings of this lunatic. It's merely to set the record straight. Watch
out for fanboys and if you're contemplating migrating to OS X (most
likely you're not) consider you will run into these suicide users all
over the place.
PS. It should also be pointed out that this lunatic's supposed 'proof
of concept' actually proved nothing and was in fact extremely
amateurish code. Yes he did discover a bug, but his advisory and proof
of concept code had even more (and more dangerous) bugs. In a word: it
had 'fanboy' written all over it.
His claim he produced a denial of service even if his exploit failed
basically sealed his fate: that's about the dumbest thing ever posted
to SF or FD or anywhere ever. When you have two hot ('for (;;)') loops
running in side by side processes and both acting on the file system of
course you get yourself in a tight situation - but no one but a fanboy
would ever try something so immature - this is totally independent of
any external software you claim to be testing.
And when you have something like 'system("/bin/cat > <target>
<source>")' inside a compilable file you know you're dealing with
someone very special - and thankfully extremely unusual.
Nobody's coming home from Jonestown. Fanboys are fanboys and will
remain fanboys - and they get fanboyer all the time.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists