lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <8a6b8e350704080256y5e812712k60b1e9e93d383758@mail.gmail.com>
Date: Sun, 8 Apr 2007 02:56:52 -0700
From: "James Matthews" <nytrokiss@...il.com>
To: "Raven Alder" <raven@...eyedcrow.net>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Security Researcher Not Particularly
	Humiliated

I Agree
On 4/8/07, Raven Alder <raven@...eyedcrow.net> wrote:
>
> Hiya --
>
> > Security conference staff needs to do a better job of screening
> > their audiences to prevent this sort of harassment during
> > presentations. I must admit that I am afraid to present at future
> > conferences if there is the possibility of being humiliated like
> > this during my talks.
>
>         As the researcher in question, I didn't feel particularly
> humiliated.  Sure, I thought the guy was a troll, but I figured that he
> was just being a jerk to me because he had some chip on his shoulder and
> couldn't find anything to complain about in my talk.  But really, his
> big tac-nuke against me was that there was some undisclosed bug in
> Apple's code?  That's hardly my fault.  I don't write their OS, and the
> thing was fully patched, firewalled, hardened, and still got popped.
> Shit happens.
>
>         I didn't go public with it because I wanted a smoking gun first.
> Security is very much a "show me" industry, and I didn't want to make
> claims that I couldn't substantiate.  I did approach Apple, and they
> pretty much blew me off.  I sent them a detailed event report, offered
> up my system for forensic analysis, and offered to help in any way I
> could.  They went to the press, gave a reporter my name (I had not gone
> to the press), and dished some crap about how I let my boyfriend use my
> computer and he probably did something to disable my firewall and cause
> it to auto-own itself or something.  Dude.  My boyfriend does not have
> admin permissions on my machine, for starters.  Way to help, Apple.
>
>         After realizing that Apple were not my friends and were more
> interested in their PR spin than they were in finding and fixing the
> problem, I stopped talking to them.  I had several OS X geeks have a
> look at the system, and none of them were able to find anything more
> conclusive than I did.  Forensics geeks, same thing.  So, I dumped the
> filesystem for posterity, vowed that no OS X box was going on a hostile
> network again, and reformatted the thing.
>
>         Sorry, folks, but I'm not going to share my filesystem dump with
> people that I do not already know and trust.  Don't even ask.
>
>         Not even if you're Apple.  You leak my name to the press when
> I'm trying to help you find your flaw, you get no more help from me.
>
>         All of this is pretty irrelevant to the talk I gave.  Still, I
> don't feel that audience screening is the way to solve the problem -- I
> don't want to quash honest questions and interest in the projects I'm
> working on, and I think any screening that wouldn't be trivially
> defeated by lying-fu would be draconian enough to be detrimental to free
> and open discourse.  There are always going to be trolls.  I think the
> audience and convention response was about as good as it could have been
> -- the troll got told off by several people, two of them with the mike,
> but it was pretty clear that most people were more interested in the
> technical content of the talk than they were in his effort to get my
> goat.  The conference organizers offered sympathy, and that was kind of
> them; I believe the guy got pitched out of the con for going on to
> harass a few other folks too.  Charming gent.
>
>         So, really, I don't think I have anything to be ashamed of, and
> I certainly don't feel humiliated.  I can see why getting ad hominem
> questions might make getting up on stage more intimidating for future
> speakers, but I don't intend to let that shut me up.  [grin]
>
> Cheers,
> Raven
>
> --
> @
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
http://www.goldwatches.com/watches.asp?Brand=39
http://www.wazoozle.com

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ