Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Second RE: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs
From: "Drew Copley" <dcopley () eEye com>
Date: Thu, 1 Jul 2004 11:51:45 -0700

These things said, you did start the whole IE security
thing, really, though I think l0pht found some nice ones.

In a lot of ways you originated the whole field of looking
for configuration type errors. And, I do not know you,
that is correct. So, I can not speak for you. 

But you did use Windows. I do read your emails. 

But, I would say, you are extremely talented. I would say
the bugs you found, others did not find. The bugs you found,
while not overly technical in the sense of requiring deep
knowledge of ASM were, regardless, extremely difficult to
find. Even if some came easily, surely it took a lot of
work in the first place in order to understand how the
developers thought and find bugs in their software.

If you are going to say you did not spend a lot of
time finding these bugs, that they were extremely easy
to find and required no talent whatsoever... then say
that. I do not believe that, and likely, would not believe
it even if you believed it yourself.

And even that would not change the point that you used
Windows and IE. There is a lot of software out there you
never used at all. Therefore, you never would have tested

I am not some new convert to Windows, I am not even a
convert. In a great many ways, I prefer Linux. 

But, none of that is the point. The point is just that
if people change, they should change because, say, Microsoft
has a really bad history of fixing issues... not because
actual bugs were found. Not out of fear.

Not when the bugs found are extremely difficult to find. Not
when they are being found by the same people.

Some people have the idea that there are a lot of Guninski's
out there. For instance. I would say this is not true. There
is too much reason to use full disclosure. The bugs are
too difficult to find. And, egos aside, bugfinders tend
to know and hang around other bugfinders. 

A huge motivator for using security bugs to hack systems
is ego, or fame, or whatever. This is entirely mitigated
by the full disclosure process. Another huge motivator
is money -- for some people. But these types of people are
smart enough to avoid all of the hassle of finding security
issues and can make money in just about any way they want
to. Quite often.

This leaves political or religious motives, really. And,
generally, if people are wrapped up in some kind of
serious fanaticism... the last thing they have time or
desire to do is to enter into bugfinding.

This is not to say that the scene will not be changing,
I am sure it will be. It already has been changing, slowly. 

-----Original Message-----
From: Drew Copley 
Sent: Thursday, July 01, 2004 10:33 AM
To: 'Georgi Guninski'
Cc: full-disclosure () lists netsys com
Subject: RE: [Full-disclosure] (IE/SCOB) Switching Software 
Because of Bugs: Some Facts About Software and Security bugs


-----Original Message-----
From: Georgi Guninski [mailto:guninski () guninski com] 
Sent: Thursday, July 01, 2004 12:41 AM
To: Drew Copley
Cc: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] (IE/SCOB) Switching Software 
Because of Bugs: Some Facts About Software and Security bugs

your long post seems like an advanced FUD to me.

No, it comes from working in the software field... in development
and QA...

"Fear, uncertainity, and doubt"? I said nothing scary... should
not be scary to anyone... I surely said nothing which would
make anyone "doubt", and I surely said nothing to make
someone unsure -- so please do not falsely accuse me because
you *think* I said something.

If you have a problem with something I say, please point it
out. Otherwise, please do not slander me because you think
you have a problem with something I have said. It seems you
missed what I was saying and just skipped over everything.

I will be blunt and say, you must think I said something
positive about Microsoft and not positive about open source. So,
you are attacking me. However, I did not. 

So, please do not force me to waste my time to defend something
I did not even say, that is really annoying.

according to your reasoning there should be a lot of worms 
and exploits for
apache because of its market share. fact is ii$ is plagued by 
worms and
exploits though it has a small market share.

That is not my reasoning.

That is not what I said.

Yes, Apache is an example of a really good software product. It
has been really well tested. The last notable IIS bug, the
chunked encoding bug from last year... was later cut and
paste to test with Apache. It worked on Apache. Then, we tested
it on Netscape Enterprise. It worked there. We might assume,
therefore, since the same complicated bug was on each system
and one of these systems was open source that... the bug
came from Apache. But, so did the feature.

This bug was last Spring, though, late Spring. Yes, it was
found by us, as most IIS bugs have been. Not that I like

These things said, it might be noted, the default landscape
of both Apache and now, Windows 2003 IIS, are both extremely
sparse. They do not have webdav or anything like this.

But, I am not sure why you are trying to put words in my

You test Linux. You use Linux. You used to test Windows. You
used to use Windows. I am sure you, no doubt, have serious
hatred of Microsoft. That is extremely obvious. But, you have
been attacked viciously by them in the press over and over
again. No offense... just telling the truth as I see it...

On Wed, Jun 30, 2004 at 01:55:17PM -0700, Drew Copley wrote:
There has been a great deal of talk about people
switching to Mozilla because of this recent Internet
Explorer issue. 


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
  • Second RE: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs Drew Copley (Jul 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]