-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Aren't you the guy that is dating Kevin Mitnick?
- - neal On Sun, 08 Apr 2007 11:07:14 -0500 George Ou <[EMAIL PROTECTED]> wrote: >Yeah that's a stupid accusation against you Raven. He was >suggesting >somehow that if you get your machine owned then you can't be >protecting >other people's computers or something and that was really >retarded. Yes he >WAS a troll. > >As for Apple going to the press to humiliate you, that's very >typical of >their PR operation. After the SecureWorks incident and after I >spoke with >their PR, I know them all too well. But even I'm shocked that >they would >bring your boyfriend in to this. > >Thanks for taking the tough questions from the audience. Don't >mind this >jerk and don't mind Apple. You have nothing to be ashamed of. >Keep up the >good work. > > >George Ou > >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of >Raven Alder >Sent: Sunday, April 08, 2007 2:00 AM >To: [email protected] >Subject: [Full-disclosure] Security Researcher Not Particularly >Humiliated > >Hiya -- > >> Security conference staff needs to do a better job of screening >> their audiences to prevent this sort of harassment during >> presentations. I must admit that I am afraid to present at >future >> conferences if there is the possibility of being humiliated like >> this during my talks. > > As the researcher in question, I didn't feel particularly >humiliated. Sure, I thought the guy was a troll, but I figured >that he >was just being a jerk to me because he had some chip on his >shoulder and >couldn't find anything to complain about in my talk. But really, >his >big tac-nuke against me was that there was some undisclosed bug in >Apple's code? That's hardly my fault. I don't write their OS, >and the >thing was fully patched, firewalled, hardened, and still got >popped. >Shit happens. > > I didn't go public with it because I wanted a smoking gun first. >Security is very much a "show me" industry, and I didn't want to >make >claims that I couldn't substantiate. I did approach Apple, and >they >pretty much blew me off. I sent them a detailed event report, >offered >up my system for forensic analysis, and offered to help in any way >I >could. They went to the press, gave a reporter my name (I had not >gone >to the press), and dished some crap about how I let my boyfriend >use my >computer and he probably did something to disable my firewall and >cause >it to auto-own itself or something. Dude. My boyfriend does not >have >admin permissions on my machine, for starters. Way to help, >Apple. > > After realizing that Apple were not my friends and were more >interested in their PR spin than they were in finding and fixing >the >problem, I stopped talking to them. I had several OS X geeks have >a >look at the system, and none of them were able to find anything >more >conclusive than I did. Forensics geeks, same thing. So, I dumped >the >filesystem for posterity, vowed that no OS X box was going on a >hostile >network again, and reformatted the thing. > > Sorry, folks, but I'm not going to share my filesystem dump with >people that I do not already know and trust. Don't even ask. > > Not even if you're Apple. You leak my name to the press when >I'm trying to help you find your flaw, you get no more help from >me. > > All of this is pretty irrelevant to the talk I gave. Still, I >don't feel that audience screening is the way to solve the problem >-- I >don't want to quash honest questions and interest in the projects >I'm >working on, and I think any screening that wouldn't be trivially >defeated by lying-fu would be draconian enough to be detrimental >to free >and open discourse. There are always going to be trolls. I think >the >audience and convention response was about as good as it could >have been >-- the troll got told off by several people, two of them with the >mike, >but it was pretty clear that most people were more interested in >the >technical content of the talk than they were in his effort to get >my >goat. The conference organizers offered sympathy, and that was >kind of >them; I believe the guy got pitched out of the con for going on to >harass a few other folks too. Charming gent. > > So, really, I don't think I have anything to be ashamed of, and >I certainly don't feel humiliated. I can see why getting ad >hominem >questions might make getting up on stage more intimidating for >future >speakers, but I don't intend to let that shut me up. [grin] > >Cheers, >Raven > >-- >@ > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wpwEAQECAAYFAkYZegEACgkQDpFP8dW5K4Y54QP+J0hS8Cfp+doUz2tZ6kzOtQl3KXE4 dUm+CRPAXimtXS8v6qcXbeQWoHDh/yk6XKbIiiRCQ2ECd40n+59yIRZuA1IjSOluNcBS Zicq/9Ea9Yo0nO4Ujn3RqniSz9aOgNoXeWSXjfIkRQQ/pSvTDPOoZomIscBVg9WBb0al Y6ee0oA= =/QfY -----END PGP SIGNATURE----- -- Click to consolidate debt and lower month expenses http://tagline.hushmail.com/fc/CAaCXv1QPRUpYnzYA2mur5yCn4zzjpK2/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
