Re: Another anonymized posting.

[ned <nd () felinemenace org>]

On Wed, 9 Jun 2004, Dave Aitel wrote:

> anonymized posting please:
>
>
>
>
> On Jun 9, 2004, at 17:04, anonymized clown wrote:
>
>  >> Hi list!
>
>
> Hi Clown!
>
> Nice rant.
>
> Look, I don't give a shit how or how or why CVS bugs are found.  I
> don't even give
> a shit if the bugs found are the low hanging fruit or the most complex
> quadruple redirected heap overflow with self optimizing eggs.
>
> What I do give a shit about is that these bugs are made public and
> squashed ASAP.
>
> Think about it.  Every CVS 0day is an opportunity for a miniscule
> subset of the earth's population to own projects' source trees.  Owning
> a source tree can only lead to
> serious badness.
>
> BTW, the way things are going, I'd consider switching to svn.

i think the svn team is a little late, as there should be an advisory due 
out really soon detailing a heap overflow in svnserve.

i know how people like OllyDbg screens:
http://felinemenace.org/~nd/SMUDGE/svn1/svn2.png

I'd consider writing your own in python, if anything.
 
>  >
>  > http://security.e-matters.de/advisories/092004.html
>  >
>  > More CVS bugs killed, bringing the number of published CVS bugs
>  > from e-matters (not that all were found by e-matters, but counting
>  > them as the originating point of the advisory) to eight.  Unless
>  > I've missed some.
>  >
>  > The question now is - is CVS safe to use?
>  >
>  > If you're killing bugs for fame (or because you used to be a
>  > hacker, and decided to do your part to ruin that wonderful
>  > experience for today's youth - you know who you are, and this isn't
>  >  directed at a single person (but the single person that thinks it
>  > is should take this to heart)) you should probably find something a
>  >  bit more noble to do with yourself.  If the best you is to try
>  > destroying something you once loved, just because you've decided to
>  >  grow up and no longer be a part of that, then you're simply an
>  > uninteresting person.  Nothing more than a one trick pony.  And
>  > while you might be great at that one trick, you're still generally
>  > a complete waste of humanity.
>  >
>  > If you're killing bugs as a legitimate effort to make something
>  > secure, you need to realize that unless you can stand behind your
>  > releases and say that "this software is now secure" you aren't
>  > doing anything.
>  >
>  > You might think that you are some sort of internet superhero, but
>  > unless you can actually give some sort of guarantee that the
>  > software is safe for use, you are nothing but another KF (by KF, I
>  > mean clueless idiot finding easy bugs for fame and obviously not
>  > being able to make a promise of security in an application after
>  > your audit) just making noise, hoping enough of the public is dumb
>  > enough to be impressed with your childish actions and bring a few
>  > dollars your way.
>  >
>  > Probably the greatest thing that has happened with full disclosure
>  > efforts recently, was ISS and their proftpd bug.  Most impressive
>  > was the exploitable bug introduced with the patch.  Why this didn't
>  >  get any real attention, I'm not sure.  But a security company
>  > recommending to patch for a bug they found, with a bug they've
>  > written, is funny. And if they want to say it wasn't part of the
>  > patch they provided that's fine - it is still their obligation to
>  > their clients to say, "this patch is safe to use".
>  >
>  > So, back to the point - will any representative of e-matters like
>  > to step forward and say, "CVS is safe to use"?  Or are they going
>  > to sit idle and say, "sure, we found some bugs, but there could be
>  > more, we don't know!" and continue to blow smoke up the asses of
>  > the public?
>  >
>  > Because, that's what this disclosure nonsense is all about, without
>  >  someone having the balls to stand by their work and say they've
>  > provided security.
>  >
>  > In other news, the iDEFENSE squid advisory is worth laughing at.
>  >
>  > http://lists.netsys.com/pipermail/full-disclosure/2004-June/022415.html
>  >
>  >
>  >
>  > A friend and I were discussing the other night some modifications
>  > to these bullshit "disclosure guidelines".  We'd like to see
>  > security companies only release advisories concerning default and
>  > widespread issues - anything else should just be silently fixed. If
>  > you can't come up with something interesting, stop trying to
>  > pretend that it is to sell your imaginary security services.
>  >
>  > Back to the advisory itself - linking to a specific patch for the
>  > problem, and advising to "Recompile Squid-Proxy with NTLM handlers
>  > disabled." is funny.  For those of you at iDEFENSE who don't
>  > understand why this is funny, if your clients have specifically
>  > built their Squid with that functionality, it almost certainly
>  > means they need that functionality!  So, why not figure out how to
>  > actually use the patch and advise them to use that?  Because,
>  > you're just blowing smoke up their asses for a few dollars too.
>  >
>  > So, e-matters and iDEFENSE - care to step forward and make the bold
>  >  claim of either product being safe to use?  "Safer" doesn't really
>  >  mean anything in the world of computer security, so claiming the
>  > publication of single bugs makes it safer is pretty sad sounding!
>  >
>  >
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://www.immunitysec.com/mailman/listinfo/dailydave

-- 
http://felinemenace.org/~nd

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave