Il martedì 7 ottobre 2014 03:50:39 CEST, Greg ha scritto:
On Oct 6, 2014, at 6:41 PM, Collin Anderson
<[email protected]> wrote:
On Mon, Oct 6, 2014 at 9:35 PM, Greg <[email protected]> wrote:
Although this isn't a serious bug, it's still a
security-related issue and you don't know how failing to
responsibly disclose it could affect someone.
It seems that you were called out on something fairly basic --
is this about bug reporting or public embarrassment on a matter
that you would have wished to remain shuffled away in private
correspondences?
Sorry, I don't understand your question, could you rephrase it?
I am embarrassed for Steve Weis. If I were employing him, I'd
fire him for claiming to be a security professional while not
knowing how responsibly disclose a bug.
Re "fairly basic": yes, modifying timestamps is fairly basic
stuff (and it worked in all our tests just fine). I have no idea
why it suddenly broke.
- Greg
IMHO it's fair to let you some time to find the bug but then it's a must
have to public the issue to advice your client to check for their sensible
data.
This is only because you claim that there no evidence at all to reproduce
at the moment this issue.
The check made by Steve was so simple that there no concern about some
"responsability" on disclosing the bug because it's a simple process in a
public domain.
At the moment "security by obscurity" it's not more an option nor a must
have.
regards
mutek
--
Liberationtech is public & archives are searchable on Google. Violations of
list guidelines will get you moderated:
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change
to digest, or change password by emailing moderator at [email protected].
