NAVIGATION
CATEGORIES
REFERRENCE
LINKS
(O/T)Lavasoft - no full disclosure
4 answers - 2334 bytes -
Hey all (long time no see)
Followed thread about Lavasoft beta threat detector. Seems Lavasoft has a
problem with full disclosure in respect to software vulnerabilties.
Perhaps a Lavasoft rep could clarify this. The 'entire' security industry
covers a wide area:
"This leads to another area of concern that we address to the entire
security industry. It is without a doubt a fact that no one can
anticipate or even design for every potential vulnerability in a given
security application. Though we and our competitors do everything humanly
possible to account for and provide appropriate development that will
eliminate known vulnerabilities, it is true that none of us can foresee
all vectors of potential attack.
With that said, independent researchers and testers are an essential part
of product improvement when they find and then report potential issues.
This however should be done in a responsible manor rather than to place
millions of users at risk for nothing more than a sensational story.
We are appalled at the level of irresponsibility and outright apathy
being shown by those who pretend to be providing essential security
information and public debate. All too often these organizations and
individuals do not care that their information or publication could cause
damage to users world wide; rather they look only for the headlines
and/or gains they could get from exposing sensitive information and sit
basking in the after-glow from the destructive content they helped to
develop.
Yes dear reader, this type of irresponsible behavior and lack of
professional ethics helps foster new malicious code and exploit
development rather than to bring about positive change or product
improvements. How often have computer users been placed at risk just
because someone decided it would be a good idea to publish this type of
information and for what purpose; just to be first?
We call on the security news and discussion industry to stop allowing
publication of vulnerabilities before developers have an appropriate
opportunity to provide corrections so that users remain protected.
If you are not part of the solution you are part of the problem.
Team Lavasoft"No.1 | | 890 bytes |
| 
Sun, 23 Apr 2006 08:41:56 GMT, Gryph <gryphonn@gmail.comwrote:
>Hey all (long time no see)
>
>Followed thread about Lavasoft beta threat detector. Seems Lavasoft has a
>problem with full disclosure in respect to software vulnerabilties.
>Perhaps a Lavasoft rep could clarify this. The 'entire' security industry
>covers a wide area:
<snip of Team Lavasoft rant which is here:
In my view, the vendors should quit whining and do a far better job of
engineering and quality control. Instead of whining about independent
security experts they should be offering them jobs :)
My rant isn't aimed at Lavasoft in particular but rather at software
and operating system vendors in general and I don't mean just
MS.
Art
http://home.epix.net/~artnpegNo.2 | | 893 bytes |
| Gryph wrote:
Hey all (long time no see)
Followed thread about Lavasoft beta threat detector. Seems Lavasoft has a
problem with full disclosure in respect to software vulnerabilties.
Perhaps a Lavasoft rep could clarify this. The 'entire' security industry
covers a wide area:
they were recently bitten by an article appearing on rootkitDTcom about
vulnerabilities in their software quite probably the person involved
didn't follow responsible disclosure
addressing their concerns to the entire security industry is reasonable
as there is a fairly large segment of self-proclaimed whitehats who
release information more as a way to put a notch in their belts than as
a way to close various windows of exposure, and a big chunk of the rest
of them don't care enough to call the first group on their self-serving
behaviourNo.3 | | 3597 bytes |
| Mon, 24 Apr 2006 00:10:19 -0400, kurt wismer <kurtw@sympatico.ca>
wrote:
>Gryph wrote:
>Hey all (long time no see)
>>
>Followed thread about Lavasoft beta threat detector. Seems Lavasoft has a
>problem with full disclosure in respect to software vulnerabilties.
>Perhaps a Lavasoft rep could clarify this. The 'entire' security industry
>covers a wide area:
>
>they were recently bitten by an article appearing on rootkitDTcom about
>vulnerabilities in their software quite probably the person involved
>didn't follow responsible disclosure
>
>addressing their concerns to the entire security industry is reasonable
>as there is a fairly large segment of self-proclaimed whitehats who
>release information more as a way to put a notch in their belts than as
>a way to close various windows of exposure, and a big chunk of the rest
>of them don't care enough to call the first group on their self-serving
>behaviour
The following rootkit.com forum link to a Ad-Aware critique may be
what inflamed the Ad-Aware developers:
and here's the followup concerning their Beta fix:
There's no indication that the author contacted Lavasoft with his list
of weaknesses before posting, and it seems odd that he would choose
that particular forum to to air his findings. His postings do have the
appearance of someone trying to make a reputation for himself, and not
behaving in a professional manner. However, it doesn't seem to me that
Lavasoft is handling the situation in a professional manner either.
No doubt a significant portion of the Lavasoft developer's ire stems
from the accusation that Ad-Aware falsifies its # of detections upward
by 43%. I see no refuation of this claim by Lavasoft. And no doubt
either that there is at least partial validity to the list of
Ad-Adware security weaknesses since they have started work on fixing
the def file issue, at least. So hopefully some good will come out of
this even though the behaviour of both sides leaves much to be
desired.
What strkes me about the critique is that vulnerabilites (as I would
intepret the term) are not the issue. Rather, the critique concerns
itself mostly with alleged security weaknessness things that
could, in the opinion of the author, be done in a more secure manner.
It seems to me that Lavasoft should have quietly made whatever
improvements to security they believe are warranted, rather than
engaging in a general public condemnation of the behaviour of some
individuals who seem to be more self-serving than objective.
This all gets me back to the point I was trying to make in my prior
post that we seem to be deluged with operating systems
and software apps which have unnecessary insecurities that
insuffient time and/or money are spent on the design of well
engineered and quality controlled software. Unfortunately, it's a
problem that's built into the nature of the technological rat race, to
a large extent. Get it out there and either fix it later or simply
obsolete it in favor of the latest mess of insecurities. The latest
and greatest new version will fix everything, right? Too often it will
bring along with it even more problems than earlier versions had :(
'Nuff of this rant.
Art
http://home.epix.net/~artnpegNo.4 | | 3787 bytes |
| Art wrote:
Mon, 24 Apr 2006 00:10:19 -0400, kurt wismer <kurtw@sympatico.ca>
>Gryph wrote:
Hey all (long time no see)
Followed thread about Lavasoft beta threat detector. Seems Lavasoft has a
problem with full disclosure in respect to software vulnerabilties.
Perhaps a Lavasoft rep could clarify this. The 'entire' security industry
covers a wide area:
>they were recently bitten by an article appearing on rootkitDTcom about
>vulnerabilities in their software quite probably the person involved
>didn't follow responsible disclosure
>>
>addressing their concerns to the entire security industry is reasonable
>as there is a fairly large segment of self-proclaimed whitehats who
>release information more as a way to put a notch in their belts than as
>a way to close various windows of exposure, and a big chunk of the rest
>of them don't care enough to call the first group on their self-serving
>behaviour
>
The following rootkit.com forum link to a Ad-Aware critique may be
what inflamed the Ad-Aware developers:
[snip]
and here's the followup concerning their Beta fix:
[snip]
There's no indication that the author contacted Lavasoft with his list
of weaknesses before posting, and it seems odd that he would choose
that particular forum to to air his findings. His postings do have the
appearance of someone trying to make a reputation for himself, and not
behaving in a professional manner. However, it doesn't seem to me that
Lavasoft is handling the situation in a professional manner either.
that's a mater of opinion, i suppose i don't see anything
unprofessional in pointing out the author of the critique is being part
of the problem rather than part of the solution
[snip
What strkes me about the critique is that vulnerabilites (as I would
intepret the term) are not the issue. Rather, the critique concerns
itself mostly with alleged security weaknessness things that
could, in the opinion of the author, be done in a more secure manner.
It seems to me that Lavasoft should have quietly made whatever
improvements to security they believe are warranted, rather than
engaging in a general public condemnation of the behaviour of some
individuals who seem to be more self-serving than objective.
sorry, i can't agree if they had been contacted quietly about the
problems then i would have expected them to quietly fix them, however i
see no reason why they should be quiet when someone is trying to make a
name for themselves at the expense of lavasoft *and* all it's users
the name of the game is supposed to be improving security - to that end
the goal should be the closure of whatever windows of exposure that
exist for the various vulnerabilities public disclosure has the
effect of maximizing risk for those vulnerabilities and is essentially a
means of using *force* to try and get the vulnerabilities fixed such
practices should a last resort but more and more self-proclaimed white
hats aren't even bothering to attempt going through other channels
first they're recklessly increasing risk when they don't need to and
those who wind up being their victims have every right to complain
i have every confidence that lavasoft is working to correct the
problems, but just because they have problems with their software
doesn't mean they should bend over and take it up the arse from every
tom, ****, and harry who wants to make a name for themselves
QUESTION ON "Computer Virus"
- SafetyDefender MalWare
- Where to find detailed information on Trojans and Spyware
- worm questions
- HALF HOUR WORK PAYED ME MORE THAN HALF A YEAR AT WORK! I'm still amused by confirmed pess
- BugHunter v1.8 Release #2
- Humor Control 20060419
- Humor Control 20060419
- Symantec and heuristic detection for MS04-003 (Buffer Overrun in MDAC)
- Humor Control 20060418
- New Orleans proclaims Easter Sunday as "Costin Raiu Day"
- SafetyDefender MalWare
- Lavasoft Ad-Aware security enhancement Beta
- Dr Max Virus Infected Web Site
- Kaspersky flags dmocy.exe as trojan?
- Firefox NoScript extension
- Help ! Hard Drive Erased
- Unexpected connection?
- Some help with netstat
- help
- MS Security Bulletin (MS06-014 - MDAC vulnerability) - Windows-98status?