[Dailydave] Subject: Re: How Apple orchestrated web attack on (Bow Sineath)

Adriel T. Desautels adriel at netragard.com
Wed Mar 21 13:59:22 EDT 2007 

IMHO, theses most vendors won't dare threaten any legal action if you have a
solid bug release/advisory methodology in place. Doing so would make them
look like they were trying to quash your research.

When we (SNOsoft) were working with HP back in early 2000 they threatened
legal action in an attempt to do just that, quash our research. Look at how
it backfired. A lot of people felt that HP cared more about quashing
security research than they did protecting their customers. That's a message
that companies are trying to avoid sending these days.

Granted, certain companies are still more difficult to work with than
others, but if your methodology for release is well built then you won't be
giving them a legal leg to stand on. You're just doing the right thing.

If not releasing bug information results in bugs left unchecked, then you
are doing an injustice to the I.T. Community, that's how I feel at least.


On 3/21/07 10:00 AM, "johnny cache" <johnycsh at gmail.com> wrote:

>> You have totally missed the point of my mail. Everyone in this
>> wireless cock-up handled it wrong. Dave and Co did it for the media,
> 
> Actually, you know why we did a mac and not windows? Because at the time
> of the presentation dave had recently left ISS (under good terms) to pursue
> an offer at secureworks. Since Dave did lots of Windows kernel level
> work at ISS,
> it seemed like the easiest way to avoid even the impression of
> impropriety on his part was to do something he wasn't exposed to while
> employed at ISS. Not doing
> Windows was the simplest solution.
> 
> In short,we did it to avoid any legal pressure.
> 
> Hindsight is always 20/20, isnt it?
> 
> And if anyone is curious, I agree completely with Bow when he says he simply
> doesn't bother reporting bugs any more. The only company I really trust not to
> do anything really unethical is Microsoft.  <queue the
> microsoft-funds-everything-that-makes-apple-look-bad conspiracy
> theorists.>
> -jc
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave

-- 

Regards, 
    Adriel T. Desautels
    Chief Technology Officer - Netragard, LLC
    Office: 617-934-0269 || Mobile : 857-636-8882
    http://www.linkedin.com/pub/1/118/a45
    http://www.netragard.com
    -------------------------
    "We make IT secure."

More information about the Dailydave mailing list