Re: Re: [WEB SECURITY] Cross Site Scripting in Google

[n3td3v <xploitable () gmail com>]

On 7/6/06, Martin O'Neal <martin.oneal () corsaire com> wrote:
> > my opinion is that full disclosure is not for vendors ..
> > it's for users. full disclosure is for us to know how to
> > react on certain threads.
>
> Which is just fine if you are technically competent to understand the
> threat, and there is also a valid mitigating strategy you can employ
> immediately.  For the vast majority of situations though, this just
> isn't the case.  The users are not technically competent enough to
> understand the true threat posed by an entry on a news group (which are
> generally hopelessly incomplete and/or factually inaccurate) and then
> this is coupled with a vulnerable product that may be essential,
> difficult to protect, and a stable official fix that may be weeks or
> months away from delivery.
>
> I personally also believe in full disclosure, but it has to be delivered
> in a responsible fashion.  Dispatching vulnerabilities to a public list
> without even attempting to contact the vendor is clearly not in the best
> interest of the vendors nor the great majority of the user base.
>
> Martin...


Theres more complexed issues to take into consideration which are
hiding under the surface. While I respect you folks are thinking on a
professiona, responsible and politcally correct notin, its not always
as clear cut as that.

Folks like "nsnake" a lot of the time don't give a crap about the
vedor or the knock on effect their disclosure might have, a lot of the
time a disclosure is attention driven.

Also, theres cases where the user has already contacted the vendor and
has been given bad treatment in the eyes of the researcher. This is
when a user might go onto a list to try and scare a vendor back into
talks with the researcher, by showing the vendor you're more than
willing to spill all to the public.

Finally, I wouldn't go judging folks and their competence, because you
cannot tell straight off what a user knows from reading their
advisory. It is easy for folks to use a nickname and carefully craft a
bad advisory presentation and give inaccurate information with the
disclosure. Remember, the researcher hasn't always got your best
interests at heart, nor the interest to prove a level of competence to
an open audience. The days of trying to be elite infront of folks is
fading, thats the old scene. The new scene is money, and self agenda
driven, than proving yourself to the vendor or wider security
community.

Sure, nsnake could very well be a dumb ass, but i wouldn't straight
away jump to conclusions. Generally, anyone who has found this list
and is reading it, has a default level of competence,  more than a lot
of professionals realise. You the professional, just take for granted
that you are the expert, and the people throwing you advisories are
dumbasses, unless they meet your criteria of what you expect someone
who knows what they're talking about should look like.

Its not always clear cut, and you don't know the background a lot of
the time why the advisory has been released, who originally found the
vulnerability, off list arguments between members of the security
community or (and) the vendor.

Don't expect people to be on your side, and be civil towards you, even
if the person is more than capable of being such in a real life
environment.

Take what you are given by researchers and don't bite the hand that
feeds you. Once you bite the hand, its unlikely he'll be able to throw
you more information, if he hasn't got his hand anymore. Either that,
or he just won't want to give you more information, if SCR (security
community relations) have been dashed by a select few on a mailing
list who decided to determine and infulence his/hers style of
disclosure and what, if any technical knowledge that researcher has,
purely on your correspondance between the researcher and professional.
Remember, sometimes, the researcher doesn't want to play along with
your technical discussion, and would rather confuse or conceal the
true skill set of the researcher to the enemy. (Yes a lot of the time,
in the mind of the researcher you are known as the enemy, and he
doesn't give a rats ass what you think)...

Thanks,
n3td3v

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/