[VIM] Article suggestion: "wannabe security group members" doing harm to software developers (fwd)

security curmudgeon jericho at attrition.org
Sun May 28 00:57:45 EDT 2006 


---------- Forwarded message ----------
From: "[iso-8859-1] Marko Seppänen" <smarko at hoito.org>
To: security curmudgeon <jericho at attrition.org>
Cc: OSVDB Mods <moderators at osvdb.org>, Steven Christey <coley at mitre.org>
Date: Fri, 26 May 2006 16:29:53 +0300
Subject: [OSVDB Mods] Re: Article suggestion: "wannabe security group members"
     doing harm to software developers

Hello,

I've posted following message to a few discussion boards in web. It should 
answer to questions you had. And it's ok for you to post my original email to 
VIM-list. You can also put the message below in full to there. I see that 
Steven already posted a message about the dispute to the list.

- Marko

------------------------------------------------

I've now contacted security sites mentioning about this "flaw" and I'm glad 
that some of them have already reacted and replied very quickly. For example, 
[URL=http://www.osvdb.org/displayvuln.php?osvdb_id=25207]OSVDB[/URL]  has now 
marked the claimed flaw as "Myth/Fake". New analysis had been made.

I've been informed by many of them (as invidual persons, not as security 
companies), that:

- there are significiant amount of diagnosis errors made by beginner 
researchers: 
[url]http://www.networksecurityarchive.org/html/Web-App-Sec/2005-12/msg00040.html[/url]
- these people are sometimes called as "ctrl-v kids", meaning the extent of his 
testing is pasting certain characters into fields and making claims based on 
the output
- it is even common, that mentioned kinds of incorrect/false security alerts 
will find their way to multiple Vulnerability DataBases (VDB)
- there does exist many, who do not follow disclosure guidelines, don't care 
who is impacted, don't try to find a workaround, and many of them can't even 
figure out the name of the affected script
- there does exits many, who do follow disclosure guidelines, care who is 
impacted and how, try to find a workaround, take contact to developers, etc.

I've also been informed, that this issue isn't easy to deal with from viewpoint 
of management of VDB as they don't have time to indepently test and verify each 
vulnerability post. This was told me by one VDB person, who wrote me a lenghty 
email and who seems like a person, who really cares a great deal about accuracy 
in the database content. And I believe him.

However, another one had took time to dig up disclaimers from security sites 
mentioning expressions like these: "no warranties", "as is", "no pre-screening" 
and "user uploading the information is the responsible one". With this I don't 
mean to say that he was rude or something like that (he wasn't), but he 
corroborated that it is not possible for them to pre-check every report they 
get. From viewpoint of any software developer, I see that as a problem.

--

In my original message I mentioned certain nick names, when referring to "other 
security experts". I'd like to add, that they have nothing to do with this 
issue. They were just listed as links on claimer's blog's sidebar.

---------------------------------------------

More information about the VIM mailing list