lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <13a7c2d20804260613y2dced3aeq9bafeff7e92662e0@mail.gmail.com>
Date: Sat, 26 Apr 2008 09:13:14 -0400
From: "G. D. Fuego" <gdfuego@...il.com>
To: n3td3v <xploitable@...il.com>
Cc: n3td3v <n3td3v@...glegroups.com>, full-disclosure@...ts.grok.org.uk
Subject: Re: Could n3td3v win a Pwnie award?

On Fri, Apr 25, 2008 at 10:48 PM, n3td3v <xploitable@...il.com> wrote:

>
> David, your research was responsible for the SQL Slammer Worm... but
> that makes you elite doesn't it, not a black hat.
>
> No wonder the UK security service is interested in you, but I wouldn't
> call it an achievement, that calls you irresponsible in my view.
>

David is responsible for the Slammer worm because he discovered the
vulnerability that it used?

Personally I would have placed the blame on either Microsoft's bad
development processes which allowed these types of bugs to be released
undiscovered.  In fact, after Slammer and Code Red worms, Microsoft
implemented a Security Development Lifecycle in order to prevent these types
of bugs going forward.

Or perhaps place the blame on Systems administrators who installed Microsoft
SQL server exposed to the Internet on so many systems, and failed to patch
them in the 6 months after the vulnerability was discovered.

Or perhaps blame the worm writer who turned a vulnerability into code that
made such a large impact on the net.

In fact, if Security Researchers are to blame for any bad uses of the
vulnerabilities they discovered then what are you doing here?  Why should
ANYONE want to take part in your vulnerability notification day if you
believe that the UK Security Service should be tracking these people.
Considering you claim to be so close to them, wouldn't that just be
registering with that agency?

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ