Re: Re: I have fixes for the Geeklog vulnerabilities

[John Sage <jsage () finchhaven com>]

hmm..

On Mon, Oct 06, 2003 at 10:34:16AM +0530, morning_wood wrote:
> > Overall, this is a textbook example of how NOT to handle security issues.
> > By not contacting the developers, posting a report full of inaccuracies,
> > and, in the end, mostly non-working examples, Lorenzo Hernandez Garcia-
> > Hierro has caused uncertainty and confusion amongst the Geeklog users and
> > basically wasted everyone's time, including that of the developers. 
> >
> > Dirk Haun,
> > Maintainer of the Geeklog 1.3.x branch,
> > Geeklog Development Team
>
>  Do your own work then... or would you have prefered him
> and whoever else he could tell to abuse Geeklog privatly until
> you perhaps stumble across the issues? Disclosure helps everyone,
> Any security disclosure is good,

/* snip */

"Any security disclosure is good..."

A wonderfully naive attitude.

Ever hear of lying? Disinformation? Libel? FUD?

Or simply of someone being wrong?


"Disclosure" without any technical evidence is gossip at best.

Unfortunately, there are some who will believe almost anything they
read.


- John
-- 
"You are in a twisty maze of weblogs, all alike."
-
John Sage: InfoSec Groupie
-
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
-
ATTENTION: this entire message is privileged communication, intended
for the sole use of its recipients only. If you read it even though
you know you aren't supposed to, you're a poopy-head.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html