RE: WAS Informing Companies NOW Announcing ' or 1=1--

From: Arian J. Evans (arian.evans@anachronic.com)
Date: Fri Oct 06 2006 - 12:07:10 EDT

• Next message: jason@kaddywampus.org: "RE: Informing Companies about security vulnerabilities..."
• Previous message: Jamie Riden: "Re: Re: Frontpage no password privileges escalation?"
• In reply to: Thor (Hammer of God): "WAS Informing Companies NOW Announcing ' or 1=1--"
• Next in thread: Levenglick, Jeff: "RE: Informing Companies about security vulnerabilities..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

> -----Original Message-----
> On Behalf Of Thor (Hammer of God)

> > Now, the interesting question we SHOULD /be discussing/
> > on this list, is who is going to be our Ralph Nader?
>
> How's this?

We do not have people in this industry with credible, loud
voices for the consumer to hear. The best and brightest of
our voices are not champions of change or providing advocacy
for a new path, but simply the best at poking holes or
pointing fingers at the dunce cap kids.

And the rest probably enjoy a healthy work-life balance. :)

> Haroon Meer (Sensepost) and Thor (Hammer of God) are proud to
[...]
> That's [' or 1=1--] without the brackets. (This is not a joke).

That is beautiful. Nice work. Who's up for naming a child?

> process of becoming a legal California corporation DBA as [' or 1=1--]
> [snip: all the other great stuff about this]

This is very cool, but you're still protecting the messenger.

What is still wrong with things here, that we are still
entirely fixated on the messenger?

1. How bad does this have to get?

2. What is the proper path of recourse?

Right now, this very second, are vendors that create, sell, and
ship significantly defective software. A small number of these
vendors I've encountered lately actively lie, dishonestly
manipulate consumer perspective concerning security features
that do not work or exist, while refusing to discuss or fix
holes in their shipping software.

That sounds like criminal intent to me.

Right now I am still potentially the criminal. While efforts
like yours assist that, you can't prove a negative. I am not
a criminal.

I want to move beyond that to figure out what our recourse
is for the real criminals, before they start taking human
lives, which is sooner or later inevitable.

-ae

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

• Next message: jason@kaddywampus.org: "RE: Informing Companies about security vulnerabilities..."
• Previous message: Jamie Riden: "Re: Re: Frontpage no password privileges escalation?"
• In reply to: Thor (Hammer of God): "WAS Informing Companies NOW Announcing ' or 1=1--"
• Next in thread: Levenglick, Jeff: "RE: Informing Companies about security vulnerabilities..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:08 EDT