Sat, 25 Mar 2006 22:12:23 GMT, n3td3v said:
You Microsoft must officially agree that all flaws marked as "Critical" must
have a patch within 7 to 14 days of public disclosure.
K Nice try.
Too bad you didn't add a requirement that the patch actually be *correct*.
Also, you're totally overlooking the fact that *sometimes*, fixing a problem
requires some major re-architecting - for instance, if an API has to be changed,
then *every* caller has to be updated, and quite possibly re-designed, and
the changes have an annoying tendency to ripple outward (if subroutine A
has a 7th parameter added, then everybody who calls A has to be updated. And
it's likely that you'll find routines B, C, and D that have no *idea* what the
correct value of the parameter should be, because they don't have access to the
data - so now callers of B, C, and D have to pass another parameter that gets
passed to A).
Any company that will commit to a "must" on this one is nuts. It's a good
target, but making it mandatory is just asking companies to ship a half-baked
patch that seems to fix the PoC rather than the underlying design flaw.
And going back and reviewing the patch history on IE is instructive - more than
once, Microsoft has released a patch for a known Javascript flaw, only to find
out within a week that a very slight change would make the exploit work again.
Is that *really* what you want? It's certainly not what *I* want. Waiting
another 3-4 days past your arbitrary 14-day limit for a *good* patch is certainly
preferable for those of us who actually have to deal with this stuff for a living,
rather than hide out on a Yahoo group.
Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/
PGP SIGNATURE
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
SJMx9ExvV0drJ+TVbJdfR/c=
=5h8r
PGP SIGNATURE

Sorry to say the n3td3v group involves employees (rogue) who have called for
this. You can ringgle and ranggle your poltical point of users within the MS
not having enough time scale to promote to a certain issue, but thats
complete crap. reason being the folks within the n3td3v group are
actually people from MS, YAH, AL, etc already. The folks at n3td3v group
are part of the industry already, for you to put your point across mr Valdis
is cool, but the n3td3v group if you hadent realised before is part of a
between the major dot coms.

3/26/06, Valdis.Kletnieks (AT) vt (DOT) edu <Valdis.Kletnieks (AT) vt (DOT) eduwrote:

Sat, 25 Mar 2006 22:12:23 GMT, n3td3v said:

You Microsoft must officially agree that all flaws marked as "Critical"
must
have a patch within 7 to 14 days of public disclosure.

K Nice try.

Too bad you didn't add a requirement that the patch actually be *correct*

Also, you're totally overlooking the fact that *sometimes*, fixing a
problem
requires some major re-architecting - for instance, if an API has to be
changed,
then *every* caller has to be updated, and quite possibly re-designed, and
the changes have an annoying tendency to ripple outward (if subroutine A
has a 7th parameter added, then everybody who calls A has to be
updated. And
it's likely that you'll find routines B, C, and D that have no *idea* what
the
correct value of the parameter should be, because they don't have access
to the
data - so now callers of B, C, and D have to pass another parameter that
gets
passed to A).

Any company that will commit to a "must" on this one is nuts. It's a good
target, but making it mandatory is just asking companies to ship a
half-baked
patch that seems to fix the PoC rather than the underlying design flaw.

And going back and reviewing the patch history on IE is instructive - more
than
once, Microsoft has released a patch for a known Javascript flaw, only to
find
out within a week that a very slight change would make the exploit work
again.

Is that *really* what you want? It's certainly not what *I*
want. Waiting
another 3-4 days past your arbitrary 14-day limit for a *good* patch is
certainly
preferable for those of us who actually have to deal with this stuff for a
living,
rather than hide out on a Yahoo group.
>
>
>
>

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

The n3td3v group is part of world wide rogue employees already. While you
may not think its cool to rush a patch incase its faulty, lets look at the
alternatives. We can have a world where hackers are expoiting your
vulnerabilities by hacking systems, or you can have hackers which and
devloping patches before MS, and causing more havoc. If you release a third
party patch it causes the consumer to become confused. Sould the consumer
trust X third party and all its phishing, or should MS release its patch
before the third parties? As soon as MS allow enough time for third parties
to develop a patch, is as soon as the scope for malicious phishing
activities begin. So no matter how many times you go on about "disclosure to
patch cycle", the main point here is "disclosure until rogue patches and
malicious activites take over. Its easy to post something about MS need to
test a patch before its disturbuted, but thats crap. If third party
programmers are able to release patches which do the job, and Microsoft are
still left standing, then surely that means MShas lost the fight?

3/26/06, William Lefkovics <william (AT) lefkovics (DOT) netwrote:

Indeed. You don't want to release a bad patch (who does?) and you also
want
to work on critical issues in an ASAP manner, not tied to any schedule
like
7 to 14 days.

"The worst scenario for us is that we release an update which has quality
problems. We believe the downstream problems of releasing patches too
quickly are even more serious than not putting in the quality that they
deserve." - Ben English, Security Leader, Microsoft Australia

Furthermore, Microsoft has an exception policy in place for addressing
vulnerabilities with greater customer risk.

"Microsoft will make an exception to the above release schedule if we
determine that customers are at immediate risk from viruses, worms,
attacks
or other malicious activities. In such a situation Microsoft may release
security patches as soon as possible to help protect customers."

>
>
>
Message
From: full-disclosure-bounces (AT) lists (DOT) grok.org.uk
[mailto:full-disclosure-bounces (AT) lists (DOT) grok.org.uk] Behalf
Valdis.Kletnieks (AT) vt (DOT) edu
Sent: Saturday, March 25, 2006 6:23 PM
To: n3td3v
Cc: full-disclosure (AT) lists (DOT) grok.org.uk
Subject: Re: [Full-disclosure] Industry calls on Microsoft to scrap
PatchTuesday for Critical flaws

Sat, 25 Mar 2006 22:12:23 GMT, n3td3v said:

You Microsoft must officially agree that all flaws marked as
"Critical" must have a patch within 7 to 14 days of public disclosure.

K Nice try.

Too bad you didn't add a requirement that the patch actually be *correct*

Also, you're totally overlooking the fact that *sometimes*, fixing a
problem
requires some major re-architecting - for instance, if an API has to be
changed, then *every* caller has to be updated, and quite possibly
re-designed, and the changes have an annoying tendency to ripple outward
(if
subroutine A has a 7th parameter added, then everybody who calls A has to
be
updated. And it's likely that you'll find routines B, C, and D that have
no
*idea* what the correct value of the parameter should be, because they
don't
have access to the data - so now callers of B, C, and D have to pass
another
parameter that gets passed to A).

Any company that will commit to a "must" on this one is nuts. It's a good
target, but making it mandatory is just asking companies to ship a
half-baked patch that seems to fix the PoC rather than the underlying
design
flaw.

And going back and reviewing the patch history on IE is instructive - more
than once, Microsoft has released a patch for a known Javascript flaw,
only
to find out within a week that a very slight change would make the exploit
work again.

Is that *really* what you want? It's certainly not what *I*
want. Waiting
another 3-4 days past your arbitrary 14-day limit for a *good* patch is
certainly preferable for those of us who actually have to deal with this
stuff for a living, rather than hide out on a Yahoo group.
--

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

>Sorry to say the n3td3v group
more like "Sorry to say n3td3v group does not exist" ( kinda like your
brain )

umm, there is no "n3td3v group"
so please stop using that phrase, your just trying to make yourself look
"big" and "professional" to the media / vendor personage that reads this
list.

and that you have a "group" of "rogue employees" ( trying to make like
there are bonafide sec researchers working for your group ) [ insert much
lmfao here ]

n3td3v you are chum, bait, food, just waiting to be extruded out of some
orifice like the smelly nasty mess you are.

NW PLZ STFU KTHNX

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Sun, 26 Mar 2006 05:08:41 +0100, n3td3v said:
Part of our "mind thought" is to poorly represent our cause while bringing
over premier issues in which the majority of the security community support,
especially in relation to corporate interests.

course, if you poorly represent your cause, people will mis-interpret your
message. Most of those highly paid execs won't invest the time needed to
comprehend the subtlety of your message, and just conclude you're a single
loser with major delusions of self-importance.

It's a shame, really, that those that are able to make their case well will be
heard, and yours will just be misunderstood and forgotten

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/
PGP SIGNATURE
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001

soBnKRtuZTm1MmwpBs62EBc=
=Frm9
PGP SIGNATURE

PGP SIGNED MESSAGE
Hash: SHA1

well for me n3td3v and probably a lot here , you are in the junk
settings because I think most FD list is really pissed off your
international kiddie attitude

n3td3v wrote:
Sorry to say the n3td3v group involves employees (rogue) who have
called for this. You can ringgle and ranggle your poltical point of
users within the MS not having enough time scale to promote to a
certain issue, but thats complete crap. reason being the folks
within the n3td3v group are actually people from MS, YAH, AL, etc
already. The folks at n3td3v group are part of the industry already,
for you to put your point across mr Valdis is cool, but the n3td3v
group if you hadent realised before is part of a between the major
dot coms.

3/26/06, *Valdis.Kletnieks (AT) vt (DOT) edu
<mailto:Valdis.Kletnieks (AT) vt (DOT) edu>* <Valdis.Kletnieks (AT) vt (DOT) edu
<mailto:Valdis.Kletnieks (AT) vt (DOT) edu>wrote:

Sat, 25 Mar 2006 22:12:23 GMT, n3td3v said:

You Microsoft must officially agree that all flaws marked as
"Critical" must
have a patch within 7 to 14 days of public disclosure.

K Nice try.

Too bad you didn't add a requirement that the patch actually be
*correct*.

Also, you're totally overlooking the fact that *sometimes*,
fixing a problem
requires some major re-architecting - for instance, if an API
has to be changed,
then *every* caller has to be updated, and quite possibly
re-designed, and
the changes have an annoying tendency to ripple outward (if
subroutine A
has a 7th parameter added, then everybody who calls A has to be
updated. And
it's likely that you'll find routines B, C, and D that have no
*idea* what the
correct value of the parameter should be, because they don't
have access to the
data - so now callers of B, C, and D have to pass another
parameter that gets
passed to A).

Any company that will commit to a "must" on this one is
nuts. It's a good
target, but making it mandatory is just asking companies to ship
a half-baked
patch that seems to fix the PoC rather than the underlying
design flaw.

And going back and reviewing the patch history on IE is
instructive - more than
once, Microsoft has released a patch for a known Javascript
flaw, only to find
out within a week that a very slight change would make the
exploit work again.

Is that *really* what you want? It's certainly not what *I*
want. Waiting
another 3-4 days past your arbitrary 14-day limit for a *good*
patch is certainly
preferable for those of us who actually have to deal with this
stuff for a living,
rather than hide out on a Yahoo group.
>
>
>
>
>

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

PGP SIGNATURE
Version: GnuPG v1.4.2.1 (MingW32)

NV62LR4xtgZ6BnT/dozX0vU=
=W52r
PGP SIGNATURE

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

PGP SIGNED MESSAGE
Hash: SHA1

body contains n3td3v
from contains n3td3v

delete message
delete from pop server

is a good solution in thunderbird to get ride of this FD bug.

cheers.

ad (AT) heapoverflow (DOT) com wrote:
well for me n3td3v and probably a lot here , you are in the junk
settings because I think most FD list is really pissed off your
international kiddie attitude

n3td3v wrote:
Sorry to say the n3td3v group involves employees (rogue) who
have called for this. You can ringgle and ranggle your poltical
point of users within the MS not having enough time scale to
promote to a certain issue, but thats complete crap. reason
being the folks within the n3td3v group are actually people
from MS, YAH, AL, etc already. The folks at n3td3v group are
part of the industry already, for you to put your point across
mr Valdis is cool, but the n3td3v group if you hadent realised
before is part of a between the major dot coms.

3/26/06, *Valdis.Kletnieks (AT) vt (DOT) edu
<mailto:Valdis.Kletnieks (AT) vt (DOT) edu>* <Valdis.Kletnieks (AT) vt (DOT) edu
<mailto:Valdis.Kletnieks (AT) vt (DOT) edu>wrote:

Sat, 25 Mar 2006 22:12:23 GMT, n3td3v said:

You Microsoft must officially agree that all flaws marked as
"Critical" must
have a patch within 7 to 14 days of public disclosure.

K Nice try.

Too bad you didn't add a requirement that the patch actually be
*correct*.

Also, you're totally overlooking the fact that *sometimes*,
fixing a problem requires some major re-architecting - for
instance, if an API has to be changed, then *every* caller has
to be updated, and quite possibly re-designed, and the changes
have an annoying tendency to ripple outward (if subroutine A
has a 7th parameter added, then everybody who calls A has to be
updated. And it's likely that you'll find routines B, C, and
D that have no *idea* what the correct value of the parameter
should be, because they don't have access to the data - so now
callers of B, C, and D have to pass another parameter that gets
passed to A).

Any company that will commit to a "must" on this one is nuts.
It's a good target, but making it mandatory is just asking
companies to ship a half-baked patch that seems to fix the PoC
rather than the underlying design flaw.

And going back and reviewing the patch history on IE is
instructive - more than once, Microsoft has released a patch
for a known Javascript flaw, only to find out within a week
that a very slight change would make the exploit work again.

Is that *really* what you want? It's certainly not what *I*
want. Waiting another 3-4 days past your arbitrary 14-day
limit for a *good* patch is certainly preferable for those of
us who actually have to deal with this stuff for a living,
rather than hide out on a Yahoo group.

Full-Disclosure
- We believe in it. Charter:
Hosted
and sponsored by Secunia - http://secunia.com/
--
Full-Disclosure -
We believe in it. Charter:
Hosted and
sponsored by Secunia - http://secunia.com/
>
>
>
ND32 1.1458 (20060324) Information

This message was checked by ND32 antivirus system.
http://www.eset.com
>
>
>
>
PGP SIGNATURE
Version: GnuPG v1.4.2.1 (MingW32)

RKprp09ZCSj6gvC3ep40Yc=
=iLDC
PGP SIGNATURE

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

first you say:
" reason being the folks within the n3td3v group are actually people from MS, YAH, AL, etc already"
or:
"the n3td3v group is the biggest thing you'll ever meet in your life time"
then later:
"as the big players get it so badly wrong infront of the international stage"

isnt that conflicting ? first you pretend that you (and your imaginary group) would be the biggest **** out there,
but then you refer to SANS as the big players while you first braged that your imaginary people work for MS etc.
try to keep your story straight
Message
From: n3td3v
To: full-disclosure (AT) lists (DOT) grok.org.uk
Sent: Sunday, March 26, 2006 5:46 AM
Subject: Re: [Full-disclosure] Industry calls on Microsoft to scrapPatchTuesday for Critical flaws

Wow, hence the ideals of being an anonymous group. Like if names were put to list, they wouldn't be sacked straight away Wake up, smell the postitives of being anonymous for five minutes, or maybe that leaves you, CERT, SANS a bit head rubbed, just like SANS once said FIREFX posed a lesser threat that IE. H, the guys I speak to at MS were chuckling about that one. course SANS reversed their claim that FIREFX was less vulnerable than IE later, much later. The credibility of SANS, of course comes into questions, while folks at n3td3v c onsortium laugh with glee, as the big players get it so badly wrong infront of the international stage.

3/26/06, William Lefkovics <william (AT) lefkovics (DOT) netwrote:
Not to mention the absence of legitimate names of the folks.

Message
From: full-disclosure-bounces (AT) lists (DOT) grok.org.uk
[mailto:full-disclosure-bounces (AT) lists (DOT) grok.org.uk] Behalf Mike Hoye
Sent: Saturday, March 25, 2006 7:08 PM
To: full-disclosure (AT) lists (DOT) grok.org.uk
Subject: Re: [Full-disclosure] Industry calls on Microsoft to scrap
PatchTuesday for Critical flaws

Sun, Mar 26, 2006 at 03:39:32AM +0100, n3td3v wrote:
reason being the folks within the n3td3v group are actually people
from MS, YAH, AL, etc already.

You know, legitimate groups don't have to keep claiming, over and over, that
they're legit.

It's remarkable how that works.

--
"Totally mad. Utter nonsense. But we'll do it because it's brilliant
nonsense." - Douglas Adams

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

You, sir, are a genius.

ad (AT) heapoverflow (DOT) com wrote:

PGP SIGNED MESSAGE
>Hash: SHA1

>
>body contains n3td3v
>from contains n3td3v
>
>delete message
>delete from pop server
>
>is a good solution in thunderbird to get ride of this FD bug.
>
>cheers.
>
>ad (AT) heapoverflow (DOT) com wrote:

>
>>well for me n3td3v and probably a lot here , you are in the junk
>>settings because I think most FD list is really pissed off your
>>international kiddie attitude
>>
>>n3td3v wrote:
>
>>
Sorry to say the n3td3v group involves employees (rogue) who
have called for this. You can ringgle and ranggle your poltical
point of users within the MS not having enough time scale to
promote to a certain issue, but thats complete crap. reason
being the folks within the n3td3v group are actually people
from MS, YAH, AL, etc already. The folks at n3td3v group are
part of the industry already, for you to put your point across
mr Valdis is cool, but the n3td3v group if you hadent realised
before is part of a between the major dot coms.

3/26/06, *Valdis.Kletnieks (AT) vt (DOT) edu
<mailto:Valdis.Kletnieks (AT) vt (DOT) edu>* <Valdis.Kletnieks (AT) vt (DOT) edu
<mailto:Valdis.Kletnieks (AT) vt (DOT) edu>wrote:

Sat, 25 Mar 2006 22:12:23 GMT, n3td3v said:

You Microsoft must officially agree that all flaws marked as

"Critical" must

have a patch within 7 to 14 days of public disclosure.

K Nice try.

Too bad you didn't add a requirement that the patch actually be
*correct*.

Also, you're totally overlooking the fact that *sometimes*,
fixing a problem requires some major re-architecting - for
instance, if an API has to be changed, then *every* caller has
to be updated, and quite possibly re-designed, and the changes
have an annoying tendency to ripple outward (if subroutine A
has a 7th parameter added, then everybody who calls A has to be
updated. And it's likely that you'll find routines B, C, and
D that have no *idea* what the correct value of the parameter
should be, because they don't have access to the data - so now
callers of B, C, and D have to pass another parameter that gets
passed to A).

Any company that will commit to a "must" on this one is nuts.
It's a good target, but making it mandatory is just asking
companies to ship a half-baked patch that seems to fix the PoC
rather than the underlying design flaw.

And going back and reviewing the patch history on IE is
instructive - more than once, Microsoft has released a patch
for a known Javascript flaw, only to find out within a week
that a very slight change would make the exploit work again.

Is that *really* what you want? It's certainly not what *I*
want. Waiting another 3-4 days past your arbitrary 14-day
limit for a *good* patch is certainly preferable for those of
us who actually have to deal with this stuff for a living,
rather than hide out on a Yahoo group.


>>
>>
>
>>
Full-Disclosure
We believe in it. Charter:
Hosted
and sponsored by Secunia - http://secunia.com/


>Full-Disclosure -
>>We believe in it. Charter:
>Hosted and
>>sponsored by Secunia - http://secunia.com/
>>
>>
>>
ND32 1.1458 (20060324) Information
>>
>>This message was checked by ND32 antivirus system.
>>http://www.eset.com
>>
>>
>>
>>
>
>>
PGP SIGNATURE
>Version: GnuPG v1.4.2.1 (MingW32)

>
>RKprp09ZCSj6gvC3ep40Yc=
>=iLDC
PGP SIGNATURE
>
>
>Full-Disclosure - We believe in it.
>Charter:
>Hosted and sponsored by Secunia - http://secunia.com/

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/