Dailydave mailing list archives
Another anonymized posting.
From: Dave Aitel <dave () immunitysec com>
Date: Wed, 09 Jun 2004 18:26:06 -0400
anonymized posting please: On Jun 9, 2004, at 17:04, anonymized clown wrote: >> Hi list! Hi Clown! Nice rant. Look, I don't give a shit how or how or why CVS bugs are found. I don't even give a shit if the bugs found are the low hanging fruit or the most complex quadruple redirected heap overflow with self optimizing eggs. What I do give a shit about is that these bugs are made public and squashed ASAP. Think about it. Every CVS 0day is an opportunity for a miniscule subset of the earth's population to own projects' source trees. Owning a source tree can only lead to serious badness. BTW, the way things are going, I'd consider switching to svn. > > http://security.e-matters.de/advisories/092004.html > > More CVS bugs killed, bringing the number of published CVS bugs > from e-matters (not that all were found by e-matters, but counting > them as the originating point of the advisory) to eight. Unless > I've missed some. > > The question now is - is CVS safe to use? > > If you're killing bugs for fame (or because you used to be a > hacker, and decided to do your part to ruin that wonderful > experience for today's youth - you know who you are, and this isn't > directed at a single person (but the single person that thinks it > is should take this to heart)) you should probably find something a > bit more noble to do with yourself. If the best you is to try > destroying something you once loved, just because you've decided to > grow up and no longer be a part of that, then you're simply an > uninteresting person. Nothing more than a one trick pony. And > while you might be great at that one trick, you're still generally > a complete waste of humanity. > > If you're killing bugs as a legitimate effort to make something > secure, you need to realize that unless you can stand behind your > releases and say that "this software is now secure" you aren't > doing anything. > > You might think that you are some sort of internet superhero, but > unless you can actually give some sort of guarantee that the > software is safe for use, you are nothing but another KF (by KF, I > mean clueless idiot finding easy bugs for fame and obviously not > being able to make a promise of security in an application after > your audit) just making noise, hoping enough of the public is dumb > enough to be impressed with your childish actions and bring a few > dollars your way. > > Probably the greatest thing that has happened with full disclosure > efforts recently, was ISS and their proftpd bug. Most impressive > was the exploitable bug introduced with the patch. Why this didn't > get any real attention, I'm not sure. But a security company > recommending to patch for a bug they found, with a bug they've > written, is funny. And if they want to say it wasn't part of the > patch they provided that's fine - it is still their obligation to > their clients to say, "this patch is safe to use". > > So, back to the point - will any representative of e-matters like > to step forward and say, "CVS is safe to use"? Or are they going > to sit idle and say, "sure, we found some bugs, but there could be > more, we don't know!" and continue to blow smoke up the asses of > the public? > > Because, that's what this disclosure nonsense is all about, without > someone having the balls to stand by their work and say they've > provided security. > > In other news, the iDEFENSE squid advisory is worth laughing at. > > http://lists.netsys.com/pipermail/full-disclosure/2004-June/022415.html > > > > A friend and I were discussing the other night some modifications > to these bullshit "disclosure guidelines". We'd like to see > security companies only release advisories concerning default and > widespread issues - anything else should just be silently fixed. If > you can't come up with something interesting, stop trying to > pretend that it is to sell your imaginary security services. > > Back to the advisory itself - linking to a specific patch for the > problem, and advising to "Recompile Squid-Proxy with NTLM handlers > disabled." is funny. For those of you at iDEFENSE who don't > understand why this is funny, if your clients have specifically > built their Squid with that functionality, it almost certainly > means they need that functionality! So, why not figure out how to > actually use the patch and advise them to use that? Because, > you're just blowing smoke up their asses for a few dollars too. > > So, e-matters and iDEFENSE - care to step forward and make the bold > claim of either product being safe to use? "Safer" doesn't really > mean anything in the world of computer security, so claiming the > publication of single bugs makes it safer is pretty sad sounding! > > _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Another anonymized posting. Dave Aitel (Jun 09)
- Re: Another anonymized posting. Rodney Thayer (Jun 09)
- Re: Another anonymized posting. Matt Hargett (Jun 09)
- Re: Another anonymized posting. Rodney Thayer (Jun 09)
- Re: Another anonymized posting. Matt Hargett (Jun 09)
- Re: Another anonymized posting. H D Moore (Jun 09)
- Re: Another anonymized posting. ned (Jun 09)
- <Possible follow-ups>
- Re: Another anonymized posting. ninjatools (Jun 09)
- Re: Another anonymized posting. Rodney Thayer (Jun 09)