<div>Daniel,</div>
<div> </div>
<div>
It's one thing to be aggressive, it's another to be unethical.
What Apple did was extremely unethical. What Chartier did in his blog was extremely unethical and I couldn't give a damn if he's just a blogger. A blog shouldn't be a license to accuse people of something horrible and falsely state that there was an actual "admission". Dalrymple of Macworld certainly wasn't a blog and many of his colleagues jumped on the bandwagon. Your defense of unethical behavior is shocking.<BR></div>
<div name="wmMessageComp"><BR><BR>
<BLOCKQUOTE style="PADDING-LEFT: 8px; MARGIN-LEFT: 8px; BORDER-LEFT: blue 2px solid">-------- Original Message --------<BR>Subject: Re: [Dailydave] How Apple orchestrated web attack on<BR>researchers<BR>From: Daniel <daniel@ugc-labs.co.uk><BR>Date: Tue, March 20, 2007 7:38 am<BR>To: "James Sineath" <bow.sineath@gmail.com><BR>Cc: dailydave@lists.immunitysec.com<BR><BR>
Firstly I'm not a mac head, i use a tool call Apple. It has it's
<BR>
problems just like my Mamiya camera and my toilet. Lets keep the
<BR>insults down to a mature level yeah?<BR><BR>> On 3/20/07, Daniel <daniel@ugc-labs.co.uk> wrote:<BR>
>> Tell me George, if you owned a mega corporation and you had
two<BR>
>> researchers threatening to drop a few % from your share price,
what<BR>
>> would you do? Open up your arms, give them a free macbook and
see<BR>>> millions lost on the FTSE/Nasdaq?<BR>><BR>
> Yea, lets just lie about everything and cover it up. That always
works<BR>> out well....<BR><BR><BR>
Again welcome to how business is done. 8/10 current top FTSE 100
<BR>
companies today make use of aggressive tactics to ensure survival,
<BR>why is IT and this industry any different?<BR>><BR>
>> Apple's PR protected the brand, same as Bush protected his
brand and<BR>
>> Billy G protected his brand. This is business 101 and it's time
for<BR>
>> security and security researchers to realise the golden years
are<BR>
>> long gone in todays litigation market. I can't just walk into
Ford<BR>
>> and say that all american cars are crap, blow up and kill
people<BR>
>> without expecting some force, so why do researchers think they
can<BR>
>> get away with it with this "we are protecting the world"
approach?<BR>><BR>
> That comparison makes no sense at all. You are comparing two
people<BR>
> finding a flaw in wireless drivers with blowing up and killing
people.<BR><BR>
This is where you miss the point, it's about BRAND PROTECTION. Yes
<BR>
the world would be much better if everyone was open, but that doesn't
<BR>
happen in the real world. Oracle still bills it's database server as
<BR>unbreakable, are they lying?<BR>><BR>
> Every Machead I debate this with says the same thing. They argue
about<BR>
> how Full Disclosure is bad for everyone and how all of us are
wrong<BR>
> and unethical for releasing flaws to the public if a company
doesn't<BR>
> patch a flaw in a timely and appropriate manner. I'd like to
remind<BR>
> you that this isn't the first incident where Apple has lied to
the<BR>> public about the seriousness of a flaw to protect themselves.<BR><BR>
If you actually knew me, you know I support full disclosure. I'm not
<BR>
some wet behind the "oooh mummy got me a hacking exposed book, i can
<BR>
hack like Dave A now" kid, I've been in this damn industry for a long
<BR>
time now. I can give you countless other examples of companies who
<BR>
have protected their brand like Apple have done. It's not right, it's
<BR>
not clever but this has been happening since the early 1900's (Coke
<BR>
is good for you, can fix all your health problems, oooh smoking
<BR>hasn't killed anyone, Firestone tyres are totally safe USA!)<BR><BR><BR>><BR>
> You (and the rest of the Apple community that thinks this way) need
to<BR>
> wake up. Would you rather us find flaws and keep them to ourselves
if<BR>> the vendor decides not to fix it?<BR><BR>
Again assumptions are being made about me. I've found flaws, I was
<BR>
due to talk about them this month at EUSecWest but things happened
<BR>
that prevented me from doing so. I've spent loads on lawyers and
<BR>
would have rather spent it on buying a new hasselblad. Do you know me
<BR>at all?<BR><BR>> Thats how the blackhat community<BR>
> works, they find flaws and keep them to themselves for later use.
The<BR>> blackhat community doesn't give a crap about what the corporations<BR>
> think, they have no rules to abide by. If they find a flaw, they
keep<BR>> it to themselves and use it when they deem necessary.<BR><BR>
Educating anyone on daily dave who actually has been on this list for
<BR>
longer than 1 year on how the "blackhat" community works is funny. Us
<BR>
old farts remember gov-boi and the "blackhat" sites like hack.co.za,
<BR>
hell I even hosted the site back in the day, so yes I'm fully aware
<BR>
of how this community works, again please stop thinking im 19 years
old.<BR><BR>> There is a good<BR>
> chance that a number of these flaws were already known by the
blackhat<BR>
> community. Do you feel safe knowing that blackhats have their
own<BR>
> private collection of exploits that they can use against you?
Would<BR>
> you rather they continue to have a collection of unpatched
flaws?<BR>
> Instead of binding the hands of white hats with legal and
political<BR>
> garbage, you should be encouraging them to find and disclose
flaws,<BR>
> not cover them up and hide them. People need to be aware of the
risk<BR>> to their information.<BR>><BR><BR>
Security research has changed since the 90's, especially in modern
<BR>
america and europe. You cannot disclose information today and not
<BR>
expect some legal challenge. David and Co found this out the hard
<BR>
way, which I do feel for them. This is one reason I will never report
<BR>on any issue i find anymore, It's not worth it.<BR><BR>
> Don't get me wrong. I'm all for responsible disclosure, but Apple
has<BR>
> shown time and time again that they will not act responsibly
in<BR>
> return. The community needs to be aware of the risks and if
Apple<BR>> won't tell the truth, then the community will.<BR><BR><BR>- Cisco<BR>- Microsoft<BR>- Lotus<BR>- Oracle<BR><BR>
Shall I go on? Hell ask Dave L or Cesar about how responsible
Oracle <BR>
have been, I don't see any hate articles addressed to Mary Ann.
<BR>
Before i retired from IT, 12 years of experience taught me that every
<BR>
damn IT company lies. Apple isn't doing something new, why do you
<BR>think RFP wrote his original policy back in the day?<BR><BR><BR>><BR>
> Blackhats already have the advantage, why give them one more
by<BR>> binding our hands? Do you REALLY want that risk?<BR><BR>
You have totally missed the point of my mail. Everyone in this
<BR>
wireless cock-up handled it wrong. Dave and Co did it for the media,
<BR>
Apple should have come clean and christ knows, BLOGGERS CAN'T be
<BR>
expected to have the same journalistic integrity that traditional
<BR>media does.<BR><BR>
This industry is at a crossroads. We need to grow up and mature and
<BR>
realise that for every action there is a reaction. Companies are no
<BR>
longer willing to accept some researcher blurting out some issue, no
<BR>
matter how serious it is, without taking into consideration the
<BR>financial implications.<BR><BR><BR><BR><BR>><BR>> -- <BR>> Bow Sineath - bow.sineath@gmail.com<BR><BR>_______________________________________________<BR>Dailydave mailing list<BR>Dailydave@lists.immunitysec.com<BR>http://lists.immunitysec.com/mailman/listinfo/dailydave </BLOCKQUOTE></DIV>