(no subject)

[full-disclosure () lists netsys com (sockz loves you)]

> Aye, it is idiotic business practices, but as much as it is the $companies
> problem, it is also the users... as they are using the software with the
> hole, and they must protect themselves and their clients.

aye?  what are you a pirate?  i might also point out to the rest of this
list that "fred" is in fact the same pirate as "M L Lynch"... don't want
anyone getting mixed up on that point there.

i dont see how a bug in the user's software is anything that a _user_
should be doing anything about.  as i've said time and time again, if you
think you've found a bug in your software, go to the software vendor to
report it... not some open discussion list.  if the dudes who make your
software dont want to fix the damned thing THEN CHANGE F*CKING BRANDS! 
(where possible)
 
> Ok, but if someone like me finds a major security hole in a widely used
> system, chances are a great many $kiddles are already aware of the problem,
> wether thru self discovery (hehe, yeah right), or thru over hearing
> blackhats sharing info.

some important notes here:
1. blackhats dont release their exploits to the rest of the community.  any
blackhat who does is no more a "hacker" than a whitehat is.  just because you
have malicious intent doesn't mean you're not a whitehat.  and no, there is
no such thing as a grey hat.

2. like you noted, script kiddies lack the intelligence and skillz to find
their own bugs.  they hear about 0-day exploitz through their friends from
school, from "hacking" websites and so-called "hacker zines" which act in
just the same manner as whitehat mailing lists like bugtraq, full disclosure,
or vuln-dev.  THIS IS WHERE THESE MORONS GET THEIR ELITE INFO FROM!  NOT
THE BLACKHAT COMMUNITY (which advocates exactly the opposite)!

3. SO, if you find a "major security hole" in some piece of software, and
dont know how to fix it yourself, then CONTACT YOUR VENDOR!  i mean, dude,
its not that hard a concept to grasp.  alternatively you can muster the
intelligence to fix the bug yourself, and then use it to compromise other
people's machines.
 
> By releasing the exploit it allows two things,
>
> 1) Experience system administrators to devise temporary hacks to work around
> the bug until it is properly fixed. (and lets say no one did know about the
> exploit, I would lay money an experienced sys-admin could right a correction
> hack faster then most $kiddles could figure out how to turn a proof of
> concept in to something dangerous... or even compile some of then :p )

i dont see how this would be any different if you didn't report the bug to
the software developers alone.

> 2) It gives the $company motivation to fix the problem, where there was no
> motivation before... why would a mega-$company fix a bug if in their mind no
> one knew about it? they don't care... release info on the bug.. and proof of
> concept, and you question their reputation... this will get most $companies
> moving.

wow.  cuz its like this dude.  smaller software companies are worried about
their reputation and larger companies are worried about their investors.  any
company that didn't listen to something like that would be down right stupid.
it seems like i'm running around in circles here.  i mean, i must have ex-
plained this to you five times in completely different ways.  WHERE AM I
LOSING YOU?!

> Anyway, I am dribbling...

thats way to easy...
 
> Cheers

ah-hoy, matey!
-- 
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup