lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4C111247.9070809@pacbell.net>
Date: Thu, 10 Jun 2010 09:26:47 -0700
From: Susan Bradley <sbradcpa@...bell.net>
To: Tavis Ormandy <taviso@...xchg8b.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: Microsoft Windows Help Centre Handles
 Malformed Escape Sequences Incorrectly

You commented that Microsoft needs to address a communication problem.  
It's irrelevant to the full disclosure issue in my mind.

I'd honestly like to know if there is a break down in communication at 
the MSRC that needs to be addressed.  It appears there is one?


Tavis Ormandy wrote:
> Susan, this is what is called "full disclosure", and my response was
> relevant.
>
> I will not answer anymore uninformed questions on this topic.
>
> Thanks, Tavis.
>
> On Thu, Jun 10, 2010 at 09:02:37AM -0700, Susan Bradley wrote:
>   
>> I'm not asking about disclosure.  I'm asking what happened to the level 
>> of communication between you and MSRC that after 4 days you posted this?
>>
>> Tavis Ormandy wrote:
>>     
>>> Susan, I wish I had the time to hold your hand through getting up to
>>> speed on the disclosure debate. Instead, I would suggest starting with
>>> the links in my advisory which were intended to give you enough
>>> background to understand the issues involved (skip to the Notes section,
>>> if you like).
>>>
>>> As I cannot hope to speak as eloquently on the topic as Bruce, I will
>>> not attempt to repeat them for you here.
>>>
>>> If after researching the topic you still have questions, please let me
>>> know.
>>>
>>> Thanks, Tavis.
>>>
>>> On Thu, Jun 10, 2010 at 08:36:09AM -0700, Susan Bradley wrote:
>>>  
>>>       
>>>> I'm not an enterprise customer, but I am a mouthy female. So here's my 
>>>> question back to you, for my education, how exactly did MSRC contact you 
>>>> back? 
>>>>
>>>> Since June 5th have you tried emailing back or any of your contacts from 
>>>> past interactions and asked what was up?  I'm disappointed in this lack 
>>>> of communication I see on both sides.  You are ...well... Tavis 
>>>> Ormandy... I seriously doubt MSRC is blowing you off here.
>>>>
>>>> Keep in mind we just had a LARGE patch week to deal with.  I don't know 
>>>> what was going on on their side, nor making excuses as I don't know what 
>>>> communication you've had in the past and had on this issue ... I'm just 
>>>> saying I would have spent a little more time getting mad at them and 
>>>> sent a lot more emails back to them before posting this.
>>>>
>>>> (And try dealing with Microsoft licensing sometime if you think security 
>>>> communication is lacking)
>>>>
>>>>    
>>>>         
>>>  
>>>       
>
>   

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ