[VIM] Article suggestion: "wannabe security group members" doing harm to software developers (fwd)
jericho at attrition.org
Sun May 28 00:57:45 EDT 2006
---------- Forwarded message ----------
From: "[iso-8859-1] Marko Seppänen" <smarko at hoito.org>
To: security curmudgeon <jericho at attrition.org>
Cc: OSVDB Mods <moderators at osvdb.org>, Steven Christey <coley at mitre.org>
Date: Fri, 26 May 2006 16:29:53 +0300
Subject: [OSVDB Mods] Re: Article suggestion: "wannabe security group members"
doing harm to software developers
I've posted following message to a few discussion boards in web. It should
answer to questions you had. And it's ok for you to post my original email to
VIM-list. You can also put the message below in full to there. I see that
Steven already posted a message about the dispute to the list.
I've now contacted security sites mentioning about this "flaw" and I'm glad
that some of them have already reacted and replied very quickly. For example,
[URL=http://www.osvdb.org/displayvuln.php?osvdb_id=25207]OSVDB[/URL] has now
marked the claimed flaw as "Myth/Fake". New analysis had been made.
I've been informed by many of them (as invidual persons, not as security
- there are significiant amount of diagnosis errors made by beginner
- these people are sometimes called as "ctrl-v kids", meaning the extent of his
testing is pasting certain characters into fields and making claims based on
- it is even common, that mentioned kinds of incorrect/false security alerts
will find their way to multiple Vulnerability DataBases (VDB)
- there does exist many, who do not follow disclosure guidelines, don't care
who is impacted, don't try to find a workaround, and many of them can't even
figure out the name of the affected script
- there does exits many, who do follow disclosure guidelines, care who is
impacted and how, try to find a workaround, take contact to developers, etc.
I've also been informed, that this issue isn't easy to deal with from viewpoint
of management of VDB as they don't have time to indepently test and verify each
vulnerability post. This was told me by one VDB person, who wrote me a lenghty
email and who seems like a person, who really cares a great deal about accuracy
in the database content. And I believe him.
However, another one had took time to dig up disclaimers from security sites
mentioning expressions like these: "no warranties", "as is", "no pre-screening"
and "user uploading the information is the responsible one". With this I don't
mean to say that he was rude or something like that (he wasn't), but he
corroborated that it is not possible for them to pre-check every report they
get. From viewpoint of any software developer, I see that as a problem.
In my original message I mentioned certain nick names, when referring to "other
security experts". I'd like to add, that they have nothing to do with this
issue. They were just listed as links on claimer's blog's sidebar.
More information about the VIM