Full Disclosure mailing list archives
Re: Valid disclosure analogy
From: full-disclosure () lists netsys com (pooh pooh)
Date: Mon, 26 Aug 2002 11:25:52 +0000
That fact does not break the analogy.
it does. see below.
If I find a flaw in a bank's security system, I might not be the one who will be able to exploit it. Furthermore, some bank accounts may only be accessible with specific credentials required by someone working in the bank, which will be exactly the same as the situation of a 'closed network' you were presenting.
how many 'closed networks' are out there? would your ability to break into one of them give you any info on all the others? would the ability to break into bank 'A' give you eventually all info about the accounts in bank 'A'? while the former is a definitive 'no', the latter is a 'maybe'. ie. the analogy is wrong.
Read. I do not mention anything else than your ability to break in the bank. No mention on what client accounts are vulnerable.
it's irrelevant. see above.
In one word, since your first post, you only talk shit, frenchie.
merde, i've been exposed!
You clearly said "blackhat". I guess that implies criminal, unless you >now consider pentester are blackhats?
if it's *your* guess, why do you extend it to *me*? and if you read my words again, you'll see the examples of blackhats/hackers/whatever who are not criminals - you guessed wrong. and there are pentesters who are blackhats, whatever you want to mean by those words. nowhere did i generalize to 'all' however, which you want to make it appear.
Man, are you for real?
i take it you failed to establish the analogy then.
Absolutely not. Banks have the entire right to show you their security measures. In fact, for specific clients ($$$$$), they do. You seem to enjoy using bullshit arguments, dont you?
you never worked for a bank, apparently, there's not much to argue about that.
You used it? You trust it? I guessed so.
yes on both accounts. guess that's not what you expected. and in any case, the point was to prove your saying "As for making a binary patch, I have yet to see any poster on this mailing list do it ;)" wrong, which i did.
Therefore, this ability you have of fixing thing is irrelevent, and >not even used by bugtraq posters.
wrong of course. and unless you've asked every single bugtraq poster (did you mean reader btw?), you couldn't possibly know anyway - yet another unfounded generalization from you.
People want to disclose, thats all.
wrong. people want to help. not all, not all the time of course. which is quite contradicting your generalization of the above (don't come back saying you didn't generalize, you said "that's all").
And? Why you say I'm wrong? Where did I say MS is the sole softwarecompany on the planet or that its the only one having bugs in their software?
you cited MS as the one which "rarely take outsider advice at face value". and i said MS is not the only software company, i.e. how would you know what other companies do? obviously you don't.
Why the fuck would you care about what path I prefer?
well, who knows. maybe i find you sympa and would like to buy you a flower. or maybe because i believe that there's a difference between 'talking out of one's ass' and 'presenting self-consistent arguments' and i like to know which describes your posts best. nothing biggie, don't worry about it.
I dont "promote myself".
sure thing. and is your opinion on things not part of 'yourself' either? <>no, you don't understand what i said. banks would never hire you (the <>bug hunter) to fix their security problem, there is exactly 0 freedom <>of choice for them (if you don't believe me, just call up your bank <>and ask around).
What part of your imagination you take that bullshit from?
i said it already, you had never worked for a bank. you have no idea how one works. and apparently you didn't call. what a pity.
God, you really thought I was saying 'any' literally?
appeared so. a-n-y. when read it looks like 'any', quite literally.
I meant bugtraqers (yes, that basicaly means more than one) disclose >bugs in commercial software with the intent of forcing the vendors to >fix them. It is not common behavior to give a patch for commercial >software.
i'm sure there was more than one occasion when patches like that got published. besides in the given context 'any' means 'any one of them'; language is apparently not your best skill. and you might even be right about the intents of bugtraq posters and how commonly they actually fix stuff, however that has nothing to do with your (failed) attempts at generalization all the time.
Boy, you must look stupid.
merci monsieur, added to my little book of 'compliments'.
If you dont then it wont be your reponsability, and I wont beat the >shit out of your fucking skull.
that is, you're ok with people keeping bugs to themselves and as a side effect causing you damage?
You also say you do not have the authority to switch the managers of >the company assets. That kinda conflicts, dont you think?
no, it's a different example. as much as you adapt yours 'runtime', allow me to do the same, will you?
Where you see "all" ?
at several places. "autohack all openssh" or "the bug was (somehow) reproduced in all the copies". are you still claiming that "I did not say all were compromised." ? if you're so proud of your apparently higher intelligence, then why don't you admit that your argument above has failed?
mass-own implies "massively owned" not "all owned". Has nothing to do >with actual actions or not, just fact that them not all being owned is irrelevent.
so "autohack all openssh" doesn't imply "all owned", let alone action. ok. you got a weird interpretation of words, but what the heck, if you say that shall save your argument, so be it. the rest of us knows it better regardless of how you tweak it ;-).
As a matter of fact, all frenchies in the field that are not blackhats >do speak shit english and lack intelligence.
why would being a french blackhat enhance one's language skills and intelligence? or does it go the other way? every intelligent english speaking french is by extension a blackhat? either way, you have a hard case to defend ;-). _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com
Current thread:
- Re: Valid disclosure analogy, (continued)
- Re: Valid disclosure analogy hellNbak (Aug 25)
- Re: Valid disclosure analogy Isaak Bloodlore (Aug 25)
- Re: Valid disclosure analogy hellNbak (Aug 25)
- Re: Valid disclosure analogy Defender Defender (Aug 25)
- Re: Valid disclosure analogy pooh pooh (Aug 25)
- Re: Valid disclosure analogy Defender Defender (Aug 25)
- Re: Valid disclosure analogy Defender Defender (Aug 25)
- Re: Valid disclosure analogy Defender Defender (Aug 25)
- Re: Valid disclosure analogy Defender Defender (Aug 25)
- Re: Valid disclosure analogy pooh pooh (Aug 25)
- Re: Valid disclosure analogy Defender Defender (Aug 25)
- Re: Valid disclosure analogy pooh pooh (Aug 26)
- Re: Valid disclosure analogy Defender Defender (Aug 26)