Another anonymized posting.

[Dave Aitel <dave () immunitysec com>]

anonymized posting please:




On Jun 9, 2004, at 17:04, anonymized clown wrote:

>> Hi list!


Hi Clown!

Nice rant.

Look, I don't give a shit how or how or why CVS bugs are found.  I
don't even give
a shit if the bugs found are the low hanging fruit or the most complex
quadruple redirected heap overflow with self optimizing eggs.

What I do give a shit about is that these bugs are made public and
squashed ASAP.

Think about it.  Every CVS 0day is an opportunity for a miniscule
subset of the earth's population to own projects' source trees.  Owning
a source tree can only lead to
serious badness.

BTW, the way things are going, I'd consider switching to svn.


>
> http://security.e-matters.de/advisories/092004.html
>
> More CVS bugs killed, bringing the number of published CVS bugs
> from e-matters (not that all were found by e-matters, but counting
> them as the originating point of the advisory) to eight.  Unless
> I've missed some.
>
> The question now is - is CVS safe to use?
>
> If you're killing bugs for fame (or because you used to be a
> hacker, and decided to do your part to ruin that wonderful
> experience for today's youth - you know who you are, and this isn't
>  directed at a single person (but the single person that thinks it
> is should take this to heart)) you should probably find something a
>  bit more noble to do with yourself.  If the best you is to try
> destroying something you once loved, just because you've decided to
>  grow up and no longer be a part of that, then you're simply an
> uninteresting person.  Nothing more than a one trick pony.  And
> while you might be great at that one trick, you're still generally
> a complete waste of humanity.
>
> If you're killing bugs as a legitimate effort to make something
> secure, you need to realize that unless you can stand behind your
> releases and say that "this software is now secure" you aren't
> doing anything.
>
> You might think that you are some sort of internet superhero, but
> unless you can actually give some sort of guarantee that the
> software is safe for use, you are nothing but another KF (by KF, I
> mean clueless idiot finding easy bugs for fame and obviously not
> being able to make a promise of security in an application after
> your audit) just making noise, hoping enough of the public is dumb
> enough to be impressed with your childish actions and bring a few
> dollars your way.
>
> Probably the greatest thing that has happened with full disclosure
> efforts recently, was ISS and their proftpd bug.  Most impressive
> was the exploitable bug introduced with the patch.  Why this didn't
>  get any real attention, I'm not sure.  But a security company
> recommending to patch for a bug they found, with a bug they've
> written, is funny. And if they want to say it wasn't part of the
> patch they provided that's fine - it is still their obligation to
> their clients to say, "this patch is safe to use".
>
> So, back to the point - will any representative of e-matters like
> to step forward and say, "CVS is safe to use"?  Or are they going
> to sit idle and say, "sure, we found some bugs, but there could be
> more, we don't know!" and continue to blow smoke up the asses of
> the public?
>
> Because, that's what this disclosure nonsense is all about, without
>  someone having the balls to stand by their work and say they've
> provided security.
>
> In other news, the iDEFENSE squid advisory is worth laughing at.
>
> http://lists.netsys.com/pipermail/full-disclosure/2004-June/022415.html
>
>
>
> A friend and I were discussing the other night some modifications
> to these bullshit "disclosure guidelines".  We'd like to see
> security companies only release advisories concerning default and
> widespread issues - anything else should just be silently fixed. If
> you can't come up with something interesting, stop trying to
> pretend that it is to sell your imaginary security services.
>
> Back to the advisory itself - linking to a specific patch for the
> problem, and advising to "Recompile Squid-Proxy with NTLM handlers
> disabled." is funny.  For those of you at iDEFENSE who don't
> understand why this is funny, if your clients have specifically
> built their Squid with that functionality, it almost certainly
> means they need that functionality!  So, why not figure out how to
> actually use the patch and advise them to use that?  Because,
> you're just blowing smoke up their asses for a few dollars too.
>
> So, e-matters and iDEFENSE - care to step forward and make the bold
>  claim of either product being safe to use?  "Safer" doesn't really
>  mean anything in the world of computer security, so claiming the
> publication of single bugs makes it safer is pretty sad sounding!
>
>

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave