LMH of the MoAB contacted me regarding coordination of fixes. He has posted the conversation.
I should state outright that I respectfully disagree with the decision to release exploits with no vendor notification. I also am not a security researcher, and as such I strongly prefer to recuse myself from the heated debate and focus on providing fixes.
That said, the initial goal of this effort was to have some fun, and to provide a quick fix for some serious issues. I never expected anyone to notice, and was perfectly comfortable labouring away in quiet obscurity. Lots of people noticed, however.
What do you think? Is it worth coordinating? Is it worth continuing providing fixes?
Personally, I think it'd be great to coordinate. While there are some valid concerns about what LMH is up to- it's a very dangerous methodology- we all have the same goal- providing fixes.
I think that staying out of the debate is a great idea, and let's take whatever help we can get when it comes to actually fixing things. In the end, everybody wins.
On 1/7/07, Landon Fuller <land...@macports.org> wrote:
> LMH of the MoAB contacted me regarding coordination of fixes. He has > posted the conversation.
> I should state outright that I respectfully disagree with the > decision to release exploits with no vendor notification. I also am > not a security researcher, and as such I strongly prefer to recuse > myself from the heated debate and focus on providing fixes.
> That said, the initial goal of this effort was to have some fun, and > to provide a quick fix for some serious issues. I never expected > anyone to notice, and was perfectly comfortable labouring away in > quiet obscurity. Lots of people noticed, however.
> What do you think? Is it worth coordinating? Is it worth continuing > providing fixes?
> -landonf
-- -------------------------------------- Remy Porter Geek, artist, and trouble maker extraordinaire.
If it involves a computer, and you need it, he can do it. --------------------------------------
I think it's a horrible idea. These guys are just trolls looking for attention. And they're (well, LMH especially) aren't the brightest knives in the drawer. They get very, very simple things wrong.
They also seem incredibly vindictive. They purposefully don't tell developers about bugs just to make more news. Look at the VLC one, they could have fixed it themselves, but instead they wanted to get their names out. Same for the OmniWeb issue, OmniGroup fixed it very quickly with their 5.5.2. but someone at the OmniGroup complained the MOAB trolls didn't even tell them about it.
So it'd look really, really bad for all if they'd tell a third party dev about a bug in software hours before the actual developer of the app finds out.
Ack, at 1/7/07, Landon Fuller said:
>What do you think? Is it worth coordinating? Is it worth continuing >providing fixes?
--
Sincerely, Rosyna Keller Technical Support/Carbon troll/Always needs a hug
Unsanity: Unsane Tools for Insanely Great People
It's either this, or imagining Phil Schiller in a thong.
I agree with Rosyna. If moabfixes take this step and begin cooperate with MoAB, moabfixes would loose credibility (were it that exist). I'm not even sure if these fixes isn't to much already by now!? The pragmatic, "doing it for fun"-attitude moabfixes somehow breaths, may take attention away from the seriousness of the whole thing. I suggest moabfixes take a clear stand against MoAB by upfront declaring you are not going to have anything to do with them. Any pre views should go were they belong, to the developers of the applications. Until we see that happen, there is no reason for moabfixes to collaborate with MoAB in any way. On the opposite!
John Stalberg On 8 jan 2007, at 01.11, Rosyna wrote:
> I think it's a horrible idea. These guys are just trolls looking > for attention. And they're (well, LMH especially) aren't the > brightest knives in the drawer. They get very, very simple things > wrong.
> They also seem incredibly vindictive. They purposefully don't tell > developers about bugs just to make more news. Look at the VLC one, > they could have fixed it themselves, but instead they wanted to get > their names out. Same for the OmniWeb issue, OmniGroup fixed it > very quickly with their 5.5.2. but someone at the OmniGroup > complained the MOAB trolls didn't even tell them about it.
> So it'd look really, really bad for all if they'd tell a third > party dev about a bug in software hours before the actual developer > of the app finds out.
> Ack, at 1/7/07, Landon Fuller said:
>> What do you think? Is it worth coordinating? Is it worth >> continuing providing fixes?
> Unsanity: Unsane Tools for Insanely Great People
> It's either this, or imagining Phil Schiller in a thong.
> --~--~---------~--~----~------------~-------~--~----~ > You received this message because you are subscribed to the Google > Groups "MOAB Fixes" group. > To post to this group, send email to moabfixes@googlegroups.com > To unsubscribe from this group, send email to moabfixes- > unsubscribe@googlegroups.com > For more options, visit this group at http://groups-beta.google.com/ > group/moabfixes?hl=en > -~----------~----~----~----~------~----~------~--~---
> I think it's a horrible idea. These guys are just trolls looking > for attention. And they're (well, LMH especially) aren't the > brightest knives in the drawer. They get very, very simple things > wrong.
> They also seem incredibly vindictive. They purposefully don't tell > developers about bugs just to make more news. Look at the VLC one, > they could have fixed it themselves, but instead they wanted to get > their names out. Same for the OmniWeb issue, OmniGroup fixed it > very quickly with their 5.5.2. but someone at the OmniGroup > complained the MOAB trolls didn't even tell them about it.
I concur - the whole attitude of their site feels needlessly vindictive against Mac users as a whole, and the software vendors in particular. They're trolls, and I think doing anything which gives them a "we're being responsible" leg to stand on is a Bad Thing, because in my book responsible disclosure involves warning the vendor ahead of time.
> So it'd look really, really bad for all if they'd tell a third > party dev about a bug in software hours before the actual developer > of the app finds out.
> Ack, at 1/7/07, Landon Fuller said:
>> What do you think? Is it worth coordinating? Is it worth >> continuing providing fixes?
I think that I will have to respectfully decline LMH's offer of coordination. I genuinely appreciate the gesture of goodwill, but I don't feel that it is the right thing to do. I know some of you will disagree with me (and some will agree) -- but upon reflection, I can't personally compromise the ethical point, though the offer may be very tempting.
I hope you'll all understand, and we can get back to bug fixes quickly. Up next, the CoreGraphics patch I promised!
> LMH of the MoAB contacted me regarding coordination of fixes. He > has posted the conversation.
> I should state outright that I respectfully disagree with the > decision to release exploits with no vendor notification. I also am > not a security researcher, and as such I strongly prefer to recuse > myself from the heated debate and focus on providing fixes.
> That said, the initial goal of this effort was to have some fun, > and to provide a quick fix for some serious issues. I never > expected anyone to notice, and was perfectly comfortable labouring > away in quiet obscurity. Lots of people noticed, however.
> What do you think? Is it worth coordinating? Is it worth continuing > providing fixes?
I also fully agree with your decision. I have been following this project since the beginning And I am proud of what it has accomplished so far, and I wouldn't want to damage its reputation. I have to say, collaboration sounds great, but ethics out weighs it any day of the week. I praise you on your decision!
On Jan 7, 7:23 pm, Landon Fuller <land...@macports.org> wrote:
> I think that I will have to respectfully decline LMH's offer of > coordination. I genuinely appreciate the gesture of goodwill, but I > don't feel that it is the right thing to do. I know some of you will > disagree with me (and some will agree) -- but upon reflection, I > can't personally compromise the ethical point, though the offer may > be very tempting.
> I hope you'll all understand, and we can get back to bug fixes > quickly. Up next, the CoreGraphics patch I promised!
> -landonf
> On Jan 7, 2007, at 2:56 PM, Landon Fuller wrote:
> > Posted to my blog, reproducing here:
> > LMH of the MoAB contacted me regarding coordination of fixes. He > > has posted the conversation.
> > I should state outright that I respectfully disagree with the > > decision to release exploits with no vendor notification. I also am > > not a security researcher, and as such I strongly prefer to recuse > > myself from the heated debate and focus on providing fixes.
> > That said, the initial goal of this effort was to have some fun, > > and to provide a quick fix for some serious issues. I never > > expected anyone to notice, and was perfectly comfortable labouring > > away in quiet obscurity. Lots of people noticed, however.
> > What do you think? Is it worth coordinating? Is it worth continuing > > providing fixes?
