Re: Valid disclosure analogy

[full-disclosure () lists netsys com (pooh pooh)]

> That fact does not break the analogy.

it does. see below.

> If I find a flaw in a bank's security system, I might not be the one
> who will be able to exploit it. Furthermore, some bank accounts may
> only be accessible with specific credentials required by someone
> working in the bank, which will be exactly the same as the situation
> of a 'closed network' you were presenting.

how many 'closed networks' are out there? would your ability to break
into one of them give you any info on all the others? would the ability
to break into bank 'A' give you eventually all info about the accounts
in bank 'A'? while the former is a definitive 'no', the latter is a
'maybe'. ie. the analogy is wrong.

> Read. I do not mention anything else than your ability to break in the
> bank. No mention on what client accounts are vulnerable.

it's irrelevant. see above.

> In one word, since your first post, you only talk shit, frenchie.

merde, i've been exposed!

> You clearly said "blackhat". I guess that implies criminal, unless you >now 
> consider pentester are blackhats?

if it's *your* guess, why do you extend it to *me*? and if you read my
words again, you'll see the examples of blackhats/hackers/whatever who
are not criminals - you guessed wrong. and there are pentesters who are
blackhats, whatever you want to mean by those words. nowhere did i
generalize to 'all' however, which you want to make it appear.

> Man, are you for real?

i take it you failed to establish the analogy then.

> Absolutely not. Banks have the entire right to show you their security 
> measures. In fact, for specific clients ($$$$$), they do.
> You seem to enjoy using bullshit arguments, dont you?

you never worked for a bank, apparently, there's not much to argue about
that.

> You used it? You trust it? I guessed so.

yes on both accounts. guess that's not what you expected. and in any
case, the point was to prove your saying "As for making a binary patch,
I have yet to see any poster on this mailing list do it ;)" wrong, which
i did.

> Therefore, this ability you have of fixing thing is irrelevent, and >not 
> even used by bugtraq posters.

wrong of course. and unless you've asked every single bugtraq poster
(did you mean reader btw?), you couldn't possibly know anyway - yet
another unfounded generalization from you.

> People want to disclose, thats all.

wrong. people want to help. not all, not all the time of course. which
is quite contradicting your generalization of the above (don't come
back saying you didn't generalize, you said "that's all").

> And? Why you say I'm wrong? Where did I say MS is the sole software 
> > company on the planet or that its the only one having bugs in their 
> > software?

you cited MS as the one which "rarely take outsider advice at face
value". and i said MS is not the only software company, i.e. how would
you know what other companies do? obviously you don't.

> Why the fuck would you care about what path I prefer?

well, who knows. maybe i find you sympa and would like to buy you a
flower. or maybe because i believe that there's a difference between
'talking out of one's ass' and 'presenting self-consistent arguments'
and i like to know which describes your posts best. nothing biggie,
don't worry about it.

> I dont "promote myself".

sure thing. and is your opinion on things not part of 'yourself' either?

<>no, you don't understand what i said. banks would never hire you (the
<>bug hunter) to fix their security problem, there is exactly 0 freedom
<>of choice for them (if you don't believe me, just call up your bank
<>and ask around).
> What part of your imagination you take that bullshit from?

i said it already, you had never worked for a bank. you have no idea how
one works. and apparently you didn't call. what a pity.

> God, you really thought I was saying 'any' literally?

appeared so. a-n-y. when read it looks like 'any', quite literally.

> I meant bugtraqers (yes, that basicaly means more than one) disclose >bugs 
> in commercial software with the intent of forcing the vendors to >fix them. 
> It is not common behavior to give a patch for commercial >software.

i'm sure there was more than one occasion when patches like that got
published. besides in the given context 'any' means 'any one of them';
language is apparently not your best skill. and you might even be right
about the intents of bugtraq posters and how commonly they actually fix
stuff, however that has nothing to do with your (failed) attempts at
generalization all the time.

> Boy, you must look stupid.

merci monsieur, added to my little book of 'compliments'.

> If you dont then it wont be your reponsability, and I wont beat the >shit 
> out of your fucking skull.

that is, you're ok with people keeping bugs to themselves and as a side
effect causing you damage?

> You also say you do not have the authority to switch the managers of >the 
> company assets. That kinda conflicts, dont you think?

no, it's a different example. as much as you adapt yours 'runtime',
allow me to do the same, will you?

> Where you see "all" ?

at several places. "autohack all openssh" or "the bug was (somehow)
reproduced in all the copies". are you still claiming that "I did not
say all were compromised." ? if you're so proud of your apparently
higher intelligence, then why don't you admit that your argument above
has failed?

> mass-own implies "massively owned" not "all owned". Has nothing to do >with 
> actual actions or not, just fact that them not all being owned is 
> irrelevent.

so "autohack all openssh" doesn't imply "all owned", let alone action.
ok. you got a weird interpretation of words, but what the heck, if you
say that shall save your argument, so be it. the rest of us knows it
better regardless of how you tweak it ;-).

> As a matter of fact, all frenchies in the field that are not blackhats >do 
> speak shit english and lack intelligence.

why would being a french blackhat enhance one's language skills and
intelligence? or does it go the other way? every intelligent english
speaking french is by extension a blackhat? either way, you have a hard
case to defend ;-).

_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com