OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Alert: Cart32 secret password backdoor (CISADV000427)
From: rain forest puppy (rfpWIRETRIP.NET)
Date: Tue May 02 2000 - 17:24:30 CDT

While I'm on this thread....

> I am not faulting Steve for publishing the advisory unmodified but I do
> wish that those who submit them display some restraint.

So now it is the liability and responsiblity of the security researchers,
and not of the original software vendors?

> For true security professionals (and not those pretend profesionals) it
> creates nothing short of a nightmare for us, and gives our profession a
> bad name, when some irresponsible individual or group decides to expose
> in detail the steps required to break into a site and to give examples
> of the range of privileged information that can be obtained.

So, instead, hide the problem, hide the scope of exposure, and in general,
act like it didn't exist?

I would argue that's what the "pretend professionals" would want, as it
definately makes their day-to-day responsibilities much easier, and fairs
better for the vendor.

Sure, so, should grey/white hats see this as a plea to keep our exploits
to ourselves? Imagine the profit I could extort using some unknown
vulnerability to access sensitive corporate information.

Mmmmmm, maybe I'm on the wrong side of the game; after all, I must only be
a "pretend professional".

- rain forest puppy

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net