|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Alert: Cart32 secret password backdoor (CISADV000427)
From: Alan Maddison (alanmad
AYRES42.COM)Date: Tue May 02 2000 - 18:45:29 CDT
- Next message: dmJUGGERNAUT.EL8.ORG: "el8.org advisory - Win 95/98 DoS (RFParalyze.c)"
- Previous message: rain forest puppy: "Re: Alert: Cart32 secret password backdoor (CISADV000427)"
- In reply to: rain forest puppy: "Re: Alert: Cart32 secret password backdoor (CISADV000427)"
- Next in thread: rain forest puppy: "Re: Alert: Cart32 secret password backdoor (CISADV000427)"
- Reply: Alan Maddison: "Re: Alert: Cart32 secret password backdoor (CISADV000427)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mr. Puppy
I support you all the way. If the vendors begin to think along the lines of
their corporate clients suing them because of inferior products and poor
security architectures then I think product quality would take a giant leap
forward.
It is only through actions of people like yourself that we have any hope of
forcing the software vendors into some semblance of good practices.
Down with the nay sayers!
Alan Maddison
-----Original Message-----
From: rain forest puppy [mailto:rfpWIRETRIP.NET]
Sent: Tuesday, May 02, 2000 3:25 PM
To: win2ksecadviceLISTSERV.NTSECURITY.NET
Subject: Re: Alert: Cart32 secret password backdoor (CISADV000427)
While I'm on this thread....
> I am not faulting Steve for publishing the advisory unmodified but I do
> wish that those who submit them display some restraint.
So now it is the liability and responsiblity of the security researchers,
and not of the original software vendors?
> For true security professionals (and not those pretend profesionals) it
> creates nothing short of a nightmare for us, and gives our profession a
> bad name, when some irresponsible individual or group decides to expose
> in detail the steps required to break into a site and to give examples
> of the range of privileged information that can be obtained.
So, instead, hide the problem, hide the scope of exposure, and in general,
act like it didn't exist?
I would argue that's what the "pretend professionals" would want, as it
definately makes their day-to-day responsibilities much easier, and fairs
better for the vendor.
Sure, so, should grey/white hats see this as a plea to keep our exploits
to ourselves? Imagine the profit I could extort using some unknown
vulnerability to access sensitive corporate information.
Mmmmmm, maybe I'm on the wrong side of the game; after all, I must only be
a "pretend professional".
- rain forest puppy
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
- Next message: dmJUGGERNAUT.EL8.ORG: "el8.org advisory - Win 95/98 DoS (RFParalyze.c)"
- Previous message: rain forest puppy: "Re: Alert: Cart32 secret password backdoor (CISADV000427)"
- In reply to: rain forest puppy: "Re: Alert: Cart32 secret password backdoor (CISADV000427)"
- Next in thread: rain forest puppy: "Re: Alert: Cart32 secret password backdoor (CISADV000427)"
- Reply: Alan Maddison: "Re: Alert: Cart32 secret password backdoor (CISADV000427)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]