Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability

From: Tremaine (tremaine_at_gmail.com)
Date: 07/05/04

  • Next message: System Outage: "Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability"
    To: Eric LeBlanc <inouk@igt.net>
    Date: Mon, 5 Jul 2004 12:22:54 -0600
    
    

    On Mon, 5 Jul 2004 13:42:14 -0400 (EDT), Eric LeBlanc <inouk@igt.net> wrote:
    > On Mon, 5 Jul 2004, System Outage wrote:

    > > Tremaine <tremaine@gmail.com> wrote:
    > > It's about posting security advisories. The initial poster advises
    > > they notified the gmail team, and posted this advisory 10 days later.
    > >
    > > It is immaterial whether an application is in alpha, beta or
    > > production. If the software or application is in use outside the
    > > development team, and there is a security issue, it is relevant to
    > > this list.
    > >
    > >
    > > It's called Full Disclosure for a reason... not partial disclosure,
    > > not disclosure of production applications only... Full Disclosure.
    > >
    > > If you want partial disclosure, you may need to rethink your
    > > subscription to the list.
    > >
    > >
    > >
    > > --
    > > Tremaine
    > > IT Security Consultant
    > >
    >
    > I agree with "System Outage". Gmail clearly told us that their website is
    > in BETA stage.
    >
    > For me, when a software is in 'BETA' (or 'ALPHA'), we SHOULD expect that
    > this software MAY HAVE security holes. That's why they want us to test
    > this site before going to the public release, and it's our job to notify
    > to the gmail team all bugs AND security holes we may find. As long as
    > this website is in beta stage, all advisory that someone may send in this
    > list or elsewhere are NOT considered 'Security Advisory' for me.
    >
    > The original author may not receive answers from the Gmail Team, but this
    > site is NOT IN PRODUCTION. When gmail site will be official and when this
    > bug is still there, NOW you can publish your security advisory.
    >
    > Futhermore, the best people for testing the software (bugs and security
    > holes) is the public. They can do many things which we will never
    > thought or imagined.
    >
    > BTW, I'm sure that the Gmail developers expect that the public will find
    > some security holes...
    >
    > If we must publish all security advisorys about beta software, this list
    > will be flooded...
    >
    > E.
    > --
    > Eric LeBlanc
    > inouk@igt.net
    > --------------------------------------------------
    > UNIX is user friendly.
    > It's just selective about who its friends are.
    > ==================================================

    I think this may be one of those instances where we'll have to agree
    to disagree. Certainly I would take a dim view if the original poster
    hadn't notified gmail in advance of their advisory to FD. I do not
    however believe that beta software that is in wide spread use should
    be excluded from public scrutiny and notification. Gmail was not
    released simply to a select few, it has been opened up via gmail
    invites to widespread usage, and is being profited from via targetted
    commercial advertising.

    The advisory also may point towards other coding issues in Google
    itself, which can then be investigated based on the information.

    Anyhow, as I noted above I think we may just have different uses and
    expectations of FD, and I for one don't have an issue like this one
    brought out.

    Cheers,

    -- 
    Tremaine
    IT Security Consultant
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: System Outage: "Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability"

    Relevant Pages