Re: Yahoo! Store Security Advisory

["Byron L. Sonne" <blsonne () rogers com>]

> They don't know how to have a human discussion about serious flaws you
> send them. They are so self centred
> They make me want to act like a script kiddie and be malicious to the
> Yahoo! network, but of course I know thats a irresponsible thing to
> do.

This is precisely why I say 'fuck it' and believe that if/when you find 
something, publish it immediately. Don't bother giving notice to the 
vendors, whoever it is. Unless of course they're good people or you have 
an agreement. My personal rule is 'respect by default': everyone gets 
the benefit of the doubt (except Microsoft) but as soon as they step 
over the line, they've probably blown it forever. This includes them 
taking their sweet time getting back, being rude, nothing but form 
letters, etc.

I'm deadly serious; sometimes (i.e. too frequently) people need a fierce 
bitch-smacking to get their shit in order. Maybe when they finally 
realize and appreciate that people are going out of their way to look 
for issues in their product(s) or service(s) they'll smarten up. (Yeah 
right, but we can dream).

I have a few ideas about things that could be done to drive the point 
home more effectively, and it basically centres around hitting them 
where it hurts. Where's that? The wallet! So:

1. Publish the vuln/sploit/hole/whatever to media friendly lists
2. Make sure the info makes it to their competitors
3. Make sure the info makes it to their investors
4. Make sure the info makes it to their business partners
5. Make sure the info gets to their most relevant user communities

When it comes to investors, business partners, competitors, etc. it 
would really help to do your research and know who to contact inside the 
organization. Don't just send it to some email posted on their website 
(though do that too) call up the switchboard and socially engineer your 
way into finding out who the people who make stuff happen is.

All of this would be helped by well written, intelligent documentation 
of the issues at hand. Don't speak like a lame scr1p7 |<1dd13 or stuff 
like that. Make it as easy as possible for people who are receiving the 
information to verify that is (a) true and (b) exploit the 
vulnerability. Include POC code. Write it so that even people who use 
Macs and WindowsXP can figure out how to wreak havoc with it, ie. give 
them a binary.

Perhaps I'll call this 'Ultimate Disclosure'?

Kick them in the nuts, and keep kicking, until they learn to run when 
they see you coming.

Regards,
Byron

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html