[Dailydave] How Apple orchestrated web attack on researchers

Ralph Logan rkl at blackops.org
Tue Mar 20 13:10:57 EDT 2007 

This argument/discussion has been going on for years.  RE: l0pht vs. MS, etc.

What I'd like to see is a scientific study on the public stock data and the release of vulnerabilities by researchers and it's effect on a stock price.

Does anyone think to mention the amazing coincidence of ISS releasing a vulnerability just before the Checkpoint/Sourcefire acquisition announcement, then later just before the IPO?

Anyway, besides that I haven't seen any verifiable data that shows causality of vulnerability release effecting stock price.  If someone has done the research, I'd love to read about it.

Brand identification and protection is indeed paramount to any corporate entity and now personal brand protection with Web 2.0's emergence into co-branding and micro-branding.  So while it is each stake-holder's job to protect and advance the brand don't you think that MS has done this in the past 8 yrs with their commitment to security?  This is not a question to begin a discussion on the fact, it is indeed fact when considering their forward movement in this area.

Regards,

rkl

Daniel (daniel at ugc-labs.co.uk) wrote:
> Firstly I'm not a mac head, i use a tool call Apple. It has it's  
> problems just like my Mamiya camera and my toilet. Lets keep the  
> insults down to a mature level yeah?
> 
> > On 3/20/07, Daniel <daniel at ugc-labs.co.uk> wrote:
> >> Tell me George, if you owned a mega corporation and you had two
> >> researchers threatening to drop a few % from your share price, what
> >> would you do? Open up your arms, give them a free macbook and see
> >> millions lost on the FTSE/Nasdaq?
> >
> > Yea, lets just lie about everything and cover it up. That always works
> > out well....
> 
> 
> Again welcome to how business is done. 8/10 current top FTSE 100  
> companies today make use of aggressive tactics to ensure survival,  
> why is IT and this industry any different?
> >
> >> Apple's PR protected the brand, same as Bush protected his brand and
> >> Billy G protected his brand. This is business 101 and it's time for
> >> security and security researchers to realise the golden years are
> >> long gone in todays litigation market. I can't just walk into Ford
> >> and say that all american cars are crap, blow up and kill people
> >> without expecting some force, so why do researchers think they can
> >> get away with it with this "we are protecting the world" approach?
> >
> > That comparison makes no sense at all. You are comparing two people
> > finding a flaw in wireless drivers with blowing up and killing people.
> 
> This is where you miss the point, it's about BRAND PROTECTION. Yes  
> the world would be much better if everyone was open, but that doesn't  
> happen in the real world. Oracle still bills it's database server as  
> unbreakable, are they lying?
> >
> > Every Machead I debate this with says the same thing. They argue about
> > how Full Disclosure is bad for everyone and how all of us are wrong
> > and unethical for releasing flaws to the public if a company doesn't
> > patch a flaw in a timely and appropriate manner. I'd like to remind
> > you that this isn't the first incident where Apple has lied to the
> > public about the seriousness of a flaw to protect themselves.
> 
> If you actually knew me, you know I support full disclosure. I'm not  
> some wet behind the "oooh mummy got me a hacking exposed book, i can  
> hack like Dave A now" kid, I've been in this damn industry for a long  
> time now. I can give you countless other examples of companies who  
> have protected their brand like Apple have done. It's not right, it's  
> not clever but this has been happening since the early 1900's (Coke  
> is good for you, can fix all your health problems, oooh smoking  
> hasn't killed anyone, Firestone tyres are totally safe USA!)
> 
> 
> >
> > You (and the rest of the Apple community that thinks this way) need to
> > wake up. Would you rather us find flaws and keep them to ourselves if
> > the vendor decides not to fix it?
> 
> Again assumptions are being made about me. I've found flaws, I was  
> due to talk about them this month at EUSecWest but things happened  
> that prevented me from doing so. I've spent loads on lawyers and  
> would have rather spent it on buying a new hasselblad. Do you know me  
> at all?
> 
> > Thats how the blackhat community
> > works, they find flaws and keep them to themselves for later use. The
> > blackhat community doesn't give a crap about what the corporations
> > think, they have no rules to abide by. If they find a flaw, they keep
> > it to themselves and use it when they deem necessary.
> 
> Educating anyone on daily dave who actually has been on this list for  
> longer than 1 year on how the "blackhat" community works is funny. Us  
> old farts remember gov-boi and the "blackhat" sites like hack.co.za,  
> hell I even hosted the site back in the day, so yes I'm fully aware  
> of how this community works, again please stop thinking im 19 years old.
> 
> > There is a good
> > chance that a number of these flaws were already known by the blackhat
> > community.  Do you feel safe knowing that blackhats have their own
> > private collection of exploits that they can use against you? Would
> > you rather they continue to have a collection of unpatched flaws?
> > Instead of binding the hands of white hats with legal and political
> > garbage, you should be encouraging them to find and disclose flaws,
> > not cover them up and hide them. People need to be aware of the risk
> > to their information.
> >
> 
> Security research has changed since the 90's, especially in modern  
> america and europe. You cannot disclose information today and not  
> expect some legal challenge. David and Co found this out the hard  
> way, which I do feel for them. This is one reason I will never report  
> on any issue i find anymore, It's not worth it.
> 
> > Don't get me wrong. I'm all for responsible disclosure, but Apple has
> > shown time and time again that they will not act responsibly in
> > return. The community needs to be aware of the risks and if Apple
> > won't tell the truth, then the community will.
> 
> 
> - Cisco
> - Microsoft
> - Lotus
> - Oracle
> 
> Shall I go on? Hell ask Dave L or Cesar  about how responsible Oracle  
> have been, I don't see any hate articles addressed to Mary Ann.  
> Before i retired from IT, 12 years of experience taught me that every  
> damn IT company lies. Apple isn't doing something new, why do you  
> think RFP wrote his original policy back in the day?
> 
> 
> >
> > Blackhats already have the advantage, why give them one more by
> > binding our hands? Do you REALLY want that risk?
> 
> You have totally missed the point of my mail. Everyone in this  
> wireless cock-up handled it wrong. Dave and Co did it for the media,  
> Apple should have come clean and christ knows, BLOGGERS CAN'T be  
> expected to have the same journalistic integrity that traditional  
> media does.
> 
> This industry is at a crossroads. We need to grow up and mature and  
> realise that for every action there is a reaction. Companies are no  
> longer willing to accept some researcher blurting out some issue, no  
> matter how serious it is, without taking into consideration the  
> financial implications.
> 
> 
> 
> 
> >
> > -- 
> > Bow Sineath - bow.sineath at gmail.com
> 
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave

-- 
They that can give up essential liberty
to purchase a little temporary safety
deserve neither liberty or safety
-- Benjamin Franklin

More information about the Dailydave mailing list