[17824] in bugtraq
Re: Submission
daemon@ATHENA.MIT.EDU (Georgi Guninski)
Tue Nov 28 17:17:02 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 7bit
Message-Id: <3A23C8AC.C0EECFEB@guninski.com>
Date: Tue, 28 Nov 2000 17:01:00 +0200
Reply-To: Georgi Guninski <guninski@GUNINSKI.COM>
From: Georgi Guninski <guninski@GUNINSKI.COM>
X-To: hellnbak@HUSHMAIL.COM
To: BUGTRAQ@SECURITYFOCUS.COM
I rarely reply to "lame shit" as defined by the anonymous author but
since he offends me publicly I must reply.
1) Regarding my relations with AOL: Your conspiracy theory is wrong. I
own a software company in Bulgaria.
My company has a contract with AOL for finding bugs in Mozilla/Netscape
6. AOL pay my company only for finding bugs in Mozilla/Netscape and for
nothing more. AOL does not require from me to find bugs in any other
product or service. I have posted several vulnerabilities in Microsoft's
product long before I had any relations with AOL.
2) I do not concentrate on Microsoft's products. I concentrate on
Mozilla. If I really concentrate on Microsoft's products I suppose I
would find much more vulnerabilities.
3) Do you think I am so exceptional to be the only one in the world to
find these vulnerabilities? I believe I am not.
4) Would you prefer not to post anything to Bugtraq and on my web site?
Would you feel safer then?
5) I think the security state of most of the software industry right now
is extremely bad, reaching nightmare. But the problem are not people who
discover the vulnerabilites but the people who ship the
products/services with vulnerabilities.
6) Regarding vendor response times: on my site there are vulnerabilities
which are not fixed for 4 months and still work.
Georgi Guninski
hellnbak@HUSHMAIL.COM wrote:
>
> Don't know if you post this kind of lame shit, but I thought I would toss
> this together and see what it comes up with.
>
> ------------------------------------------------------------------------
> ------------------------------------------------------------------------
> ---
>
> Vedor Response and Reporting Vulnerabilities.
> Written by: HellNbak (hellNbak@hushmail.com)
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>
> At risk of started the age old "Full Disclosure" debate again, I felt that
> I had
> to write this. It seems lately, that the so called security industry has
> lost its
> backbone. To quote a director of a popular security portal; "The whole
> thing is
> just sickening, I am waiting for someone to say something about it". Well,
> here
> is your someone.
>
> What is sickening you ask? The recent rash of advisories that contain the
> following
> text: "I had contacted the vendor 3 days ago but they have not fixed the
> problem".
> Then we will see a response from the vendor detailing how irresponsible
> and
> uncooperative the person has been and how they are trying to get a fix rolled
> out.
>
> Lets look at some of the recent Georgi Guninski advisories as these are
> the best
> example. Lets look at some message threads recently found on Bugtraq and
> Win2KSecAdvice. Thank you to Neohapsis for the excellent archive of these
> plus
> other lists.
>
> http://archives.neohapsis.com/archives/win2ksecadvice/2000-q4/0054.html
> http://archives.neohapsis.com/archives/win2ksecadvice/2000-q4/0055.html
> http://archives.neohapsis.com/archives/win2ksecadvice/2000-q4/0056.html
>
> The first URL set details a problem that Georgi found with a Microsoft product.
> Georgi
> decided that Microsoft needed only four (4) days to verify and fix the problem(s)
> he
> found. The message thread is a little interesting as Microsoft took the
> time to point
> out the level of cooperation recieved by Georgi.
>
> http://archives.neohapsis.com/archives/win2ksecadvice/2000-q4/0074.html
>
> This URL is another Georgi advisory, again only giving the vendor, who happens
> to
> be Microsoft again four (4) days to fix the problem.
>
> Lets refer to RFPolicy 2.0, http://www.wiretrip.net/rfp/policy.html.
>
> ------------------------------------------------------------------------
> ------------
> "B. The MAINTAINER is to be given 5 working days (in respects to the
> ORIGINATOR) from the DATE OF CONTACT; should no contact occur by the end
> of 5 working days, the ORIGINATOR should disclose the ISSUE. Should the
> MAINTAINER contact the ORIGINATOR within the 5 working days, it is at the
> discretion of the ORIGINATOR to delay disclosure past 5 working days. The
> decision
> to delay should be passed upon active communication between the ORIGINATOR
> and
> MAINTAINER.
>
> C. Requests from the MAINTAINER for help in reproducing problems or for
> additional
> information should be honored by the ORIGINATOR. The ORIGINATOR is encouraged
> to delay
> disclosure of the ISSUE if the MAINTAINER provides feasible reasons for
> requiring so.
>
> D. If the MAINTAINER goes beyond 5 working days without any communication
> to the
> ORIGINATOR, the ORIGINATOR may choose to disclose the ISSUE. The MAINTAINER
> is
> responsible for providing regular status updates (regarding the resolution
> of the ISSUE)
> at least once every 5 working days.
>
> E. In respect for the ORIGINATOR following this policy, the MAINTAINER is
> encouraged to
> provide proper credit to the ORIGINATOR for doing so. Failure to document
> credit to the
> ORIGINATOR may leave the ORIGINATOR unwilling to follow this policy with
> the same
> MAINTAINER on future issues, at the ORIGINATOR's discretion. Suggested (minimal)
> credit
> would be:
>
> "Credit to [ORIGINATOR] for disclosing the problem to [MAINTAINER]."
>
> F. The MAINTAINER is encouraged to coordinate a joint public release/disclosure
> with the
> ORIGINATOR, so that advisories of problem and resolution can be made available
> together."
>
> ------------------------------------------------------------------------
> -------------------
>
> >From reading this section of RFPolicy, it is clear that Georgi Guninski
> was not too far
> off of the mark by only giving Microsoft four days to respond. But was
> he really? Did
> Georgi cooperate with Microsoft? According to Microsoft he did not. Georgi
> himself claimed
> to not be required to work with Microsoft for free.
>
> Lets jump away from this for a minute so I can clarify a few things.
>
> A.) I am not a Microsoft employee or even all that pro-Microsoft. I am
> using Microsoft as
> my example as I do feel that they are treated unfairly by most when reporting
> vulnerabilities.
>
> B.) There is nothing forcing Georgi or anyone for that matter to follow
> RFPolicy, but the
> policy is a good idea and is very sound, so why not follow it.
>
> C.) This one is important, for those of you who do not know, Georgi Guninski
> is a security
> contractor. Currently, he is under contract with AOL/Netscape. Hmmmmmm......
>
> OK, with that being said many of you are probably thinking that Georgi is
> not allowed to
> cooperate with Microsoft because of his job with Netscape/AOL. To be blunt,
> this is
> nothing more than a lame excuse. Companies work with their competitors
> over security
> holes constantly. In fact, I have seen advisories (the recent MS Network
> Monitor ones as an
> example) that contain issues worked on by two very competitive companies,
> ISS and NAI.
>
> Could one assume that Georgi is only releasing his vulnerabilities in this
> fashion because
> Microsoft is a competitor? What is Georgi's job description at Netscape?
> Why is Georgi
> only concentrating on Microsoft products? Something smells here, and for
> once it is not
> Microsoft.
>
> I am a supporter of full disclosure, or should I say RESPONSIBLE full disclosure.
> It seems
> to me that people like Georgi Guninski while they claim to support full
> disclosure obviously
> support it for reasons other than the good of the security community. A
> security professional
> has a responsibility to report issues to vendors and to work with vendors
> to solve them. Doing this
> gets you the security professional recognition from the vendor and looks
> great on a resume. Being
> irresponsible does not.
>
> I know a lot of you are probably thinking that this rant is pointed directly
> at Georgi and I guess
> it is as he is probably the largest offender. Georgi, take this message
> for what it is worth, you
> are no longer doing the security industry a service, you are letting people
> know that AOL/Netscape and
> their big pockets can take a once respected person and obviously very intelligent
> security professional
> and use them to do their bidding.
>
> Send your flames and comments to hellnbak@hushmail.com
