Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-Disclosure] Re: [caudium-devel] [SECUNIA] Regarding Secunia Adviso

from [Marek Habersack] Network Security [Permanent Link]
Subject: [Full-Disclosure] Re: [caudium-devel] [SECUNIA] Regarding Secunia Advisory SA13040
Date: Wed, 22 Dec 2004 15:12:22 +0100 
On Wed, Dec 22, 2004 at 02:47:30PM +0100, Thomas Kristensen scribbled:

Hi Xavier,

The information in Secunia Advisory SA13040 is based on your own
Changelog at Sourceforge.

SA13040:
http://secunia.com/SA13040

On 30th November you wrote to Secunia that this only affected the 1.4
branch. One hour later Secunia updated the advisory to reflect this and
you received an answer with a confirmation that we had updated the
advisory.

You should have done that in the first place - before posting any
information about bugs. By releasing such erroneous advisories you do a
malservice to both the vendors and the community. One effect of your
advisory was that nessus started flagging all scanned machines running
Caudium as vulnerable. That, for some people, generated costs in real money
- all because of your lack of willingness to provide the community with the
accurate and trustworthy information. Personally, I will regard any other
advisory from Secunia as unreliable.



If you spotted any other omissions back then, you could have contacted
us again - obviously you didn't.


Additionally, any information listed in product changelogs is considered
public knowledge. Naturally, we don't contact vendors before issuing
advisories based on information in their own changelogs / release notes.

Do you find is as natural not to perform any tests to confirm your advisory?
Also, is it customary to release advisories about non-released or
development projects that are moving targets? I suppose we will have to
forget about the OSS rule "release soon, release often" - since any bug in a
development (CVS/SVN/Arch/whatever) version will be considered a serious
security threat.
 

Also, we are not going to remove this advisory, as it is based on your
own information. However, if you have any relevant additional
information, we will naturally review them and update the advisory
accordingly.

I can see a splendid opportunity to fool Secunia. I will start putting false
changelog entries in our repositories announcing all kinds of grave and
serious errors. I would love if other vendors start doing that as well - I
wonder how would you, as professionals, look if it started to turn out that
your "advisories" are cut-and-paste's from vendor development changelogs -
untested, unconfirmed, unchecked.



Kind regards,

best regards and I hope you will take the time during the upcoming holidays
to think about the way you do your work - since it is affecting other
people's work, you are obliged to take every step and measure to prevent
unreliable information from coming out from you.

And a single note below - please don't take what I wrote personally. Treat
it as something coming from professional to professional.

marek

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-Disclosure] Regarding Secunia Advisory SA13040., Xavier Beaudouin
Next by Date:  Oracle Trigger Abuse (#NISR2122004I), NGSSoftware Insight Security Research
Previous by Thread:  [Full-Disclosure] [SECUNIA] Regarding Secunia Advisory SA13040, Thomas Kristensen
Next by Thread:  Oracle Trigger Abuse (#NISR2122004I), NGSSoftware Insight Security Research
Indexes:  [Date] [Thread] [Top] [All Lists]