Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: Re: [SPAM] Re: SF new column announcement: How not to respond to a security advisory

Re: Re: [SPAM] Re: SF new column announcement: How not to respond to a security advisory

From: Markus Vervier <markus.vervier_at_redteam-pentesting.de>
Date: Fri, 20 Jan 2006 12:50:35 +0100

Hi there.

Andrew van der Stock wrote:

[...]
> I'd like to hear from the original vulnerability disclosure writers
> (Red Team Pentesting, http://www.redteam-pentesting.de) for how their
> correspondence on December 4th - December 6th with Theo went. Maybe
> there's more to this than is noted in the opinion piece.
>

You are right there, we discussed about securelevels with Theo for a
while and his oppinion boiled down to the sentence we quoted in our
advisory. (Acutually this was a the whole content of a single mail)
Of course this statement was not the only response we got from him. He
actually wrote several very long and detailed mails before, explaining
his distaste for securelevels, why they are useless and should be
removed. We did not want to start any Theo-Bashing by quoting his single
statement, it just clearly recapitulates what he said before. No fix was
sensible for securelevels because they are broken by design.

Let's see if the next release of OpenBSD will still contain securelevels.

In my oppinion things would be much better if there was any proper
documentation about securelvels available, clearly stating what they can
do and most important: what not.
Securelevels are no catch-all for root-compromise.

Better Documentation was also suggested by the FreeBSD Security Team,
yet doing "man securelevel" still shows things like:

"The kernel runs with five different levels of security."

Cool, I run Security 5. Now I'm really secured, am I?

[...]

Best regards,

Markus Vervier 

--
RedTeam Pentesting            Tel.: +49-(0)241-963 1300
Dennewartstr. 25-27           Fax : +49-(0)241-963 1304
52068 Aachen           http://www.redteam-pentesting.de
-------------------------------------------------------------------------
This List Sponsored by: Watchfire
Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. See for yourself. 
Download AppScan 6.0 today.
https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
--------------------------------------------------------------------------
Received on Jan 21 2006
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]