lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <6200FB5F-AA06-11DB-97EE-0003937570C8@rixstep.com>
Date: Mon, 22 Jan 2007 12:50:32 +0200
From: contact@...step.com
To: full-disclosure@...ts.grok.org.uk
Subject: Re: 'Rixstep still aren't as leet as they thought
	they were'

<http://seclists.org/fulldisclosure/2007/Jan/0303.html>

Re: 'Rixstep still aren't as leet as they thought they were'

Oh it's been fixed all right. Mr Anonymous with the Bent didn't stay 
around long enough to find out.

What's interesting of course is that Mr Anonymous 'backdated' the 
advisory to make the company look bad. This is not 'full disclosure' - 
this is the typical behaviour of an Apple fanboy.

He got excited on 15 January, did in fact find a bug, and then searched 
the entire Rixstep site for mention of the product. The earliest he 
could find was 23 November last year.

Unfortunately this amateur didn't take the time to consider several 
things.

1) There are serial numbers on all SF advisories. Several dozen before 
his are all dated 15 January 2007. It becomes obvious he's backdating.

2) The product Mr Bent tested is not the product released on 23 
November.

3) Mr Bent would have the world think he actually contacted Rixstep 
prior to going public with his 'nasty bug'. But in such case he got his 
hands on a copy of a product two weeks prior to it being written.

As with Steve Jobs, Nancy Heinen, and Fred Anderson, backdating is 
generally a Bad Idea (tm).

But the bug has indeed been fixed and Security Focus have been alerted 
to the issue with the behaviour of this person and corrected the 
appropriate records.

Basically all this proves is that this person has a sick mind - 
something most of us already knew. But now it's out in the open. His 
goal was to make Rixstep look bad and in the end it is only he and his 
fanboy friends who look bad.

The objective of full disclosure is to close security gaps in software 
so users are not victimised. It is not to be able to strike back at 
people like MOAB who dare criticise their beloved platform.

Apple fanboys have attacked Brian Krebs, Dan Gillmor, Andrew Stone, 
Avie Tevanian, George Ou, Kieren McCarthy - and now MOAB and Rixstep - 
where other vendors such as Microsoft simply say 'yes we know; we are 
going to fix it' and Microsoft software users take a calm and rational 
stance to it all.

Wikipedia's definition of 'fanboy' is as follows.

'Fanboy or fanboi is a term used to describe an individual (usually 
male, though the feminine version fangirl may be used for females) who 
is utterly devoted to a single fannish subject, or to a single point of 
view within that subject, often to the point where it is considered an 
obsession. Fanboys remain loyal to their particular obsession, 
disregarding any factors that differ from their point of view. They are 
also typically hateful to the opposing brand or competition of their 
obsession regardless of its merits or achievements.'

You can't cure a fanboy just as you couldn't convince the citizens of 
Jonestown to come home and save themselves - and they will become 
aggressive to those who try to help them. Wiki's words are good here - 
this is just a fact of life.

Bottom line? Rixstep are just as 'leet' as they've claimed for their 
stance is not merely that they do more QA than other companies but that 
they're actively soliciting bug hunts - they won't hide in the PR 
department like some other companies.

Also of note is that Mr Bent, attempting to take the ethical high 
ground, still hides behind anonymity. If everything were so above board 
and he felt no shame and disgust at his behaviour - then why hide? We 
do in fact offer rewards for people who find bugs - and have given away 
two products already as a result - but we're not about to give them to 
nasty Apple idiots.

This post has little relevance to FD but OTOH neither did any of the 
rantings of this lunatic. It's just to set the record straight. Watch 
out for fanboys and if you're contemplating migrating to OS X (most 
likely you're not) consider you will run into these suicide users all 
over the place.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ