lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CADYtyvKKh+SiqCy7NJqB9fc4X40_6hoi+4MJbcjZ1T2Q0=wKTg@mail.gmail.com>
Date: Wed, 11 Jul 2012 08:41:07 -0400
From: Григорий Братислава <musntlive@...il.com>
To: "Gary E. Miller" <gem@...lim.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: How much time is appropriate for fixing

On Tue, Jul 10, 2012 at 5:48 PM, Gary E. Miller <gem@...lim.com> wrote:

>
> Maybe, but my real world example shows your simplistic logic is wrong.
>

Is say who?

>
> Psych 101: Evil people have no shame.
>

And is you say my logic is wrong.

You: "If you become a whistleblower, you are evil for disclosing the
danger. How dare you post information on a vulnerability before
allowing the vendor to fix the issue. Lives are at stake, people are
in real danger!"

Is vendor have their act together, is problem never leave prior to
"test use cases" in Dev and Q&A. Where is responsibility of vendor
lie? Vendor is solely care to make money not is churn out fixes.

So according to is your logic:

MusntLive discover pedo, report pedo, authorities lallygag, MusntLive
publicize pedo info, MusntLive is evil.
MusntLive discover is Lockheed has glitch on plane cause pilot to
crash, MusntLive publish information so to for pilots can know,
MusntLive is evil for exposure.
MusntLive discover is flaw in mechanism that shut down power grid,
rush to warn people via full disclosure, MusntLive is evil.

Nice logic is there in your thinking. Perhaps maybe to if you are in Poland.

Is I discover flaw, what is make you think no one else is has discover
flaw. According to your is logic: "sit around and wait for the
responsible vendor to fix it. In the meantime worry little about the
dozens of other attackers that likely know about the flaw and are
actively exploiting it!" Nice logic Gary.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ