Coordination with LMH / MoAB?
Landon Fuller
LMH of the MoAB contacted me regarding coordination of fixes. He has
posted the conversation.
I should state outright that I respectfully disagree with the
decision to release exploits with no vendor notification. I also am
not a security researcher, and as such I strongly prefer to recuse
myself from the heated debate and focus on providing fixes.
That said, the initial goal of this effort was to have some fun, and
to provide a quick fix for some serious issues. I never expected
anyone to notice, and was perfectly comfortable labouring away in
quiet obscurity. Lots of people noticed, however.
What do you think? Is it worth coordinating? Is it worth continuing
providing fixes?
-landonf
Remy Porter
valid concerns about what LMH is up to- it's a very dangerous
methodology- we all have the same goal- providing fixes.
I think that staying out of the debate is a great idea, and let's take
whatever help we can get when it comes to actually fixing things. In
the end, everybody wins.
--
--------------------------------------
Remy Porter
Geek, artist, and
trouble maker extraordinaire.
If it involves a computer,
and you need it,
he can do it.
--------------------------------------
Rosyna
attention. And they're (well, LMH especially) aren't the brightest
knives in the drawer. They get very, very simple things wrong.
They also seem incredibly vindictive. They purposefully don't tell
developers about bugs just to make more news. Look at the VLC one,
they could have fixed it themselves, but instead they wanted to get
their names out. Same for the OmniWeb issue, OmniGroup fixed it very
quickly with their 5.5.2. but someone at the OmniGroup complained the
MOAB trolls didn't even tell them about it.
So it'd look really, really bad for all if they'd tell a third party
dev about a bug in software hours before the actual developer of the
app finds out.
Ack, at 1/7/07, Landon Fuller said:
>What do you think? Is it worth coordinating? Is it worth continuing
>providing fixes?
--
Sincerely,
Rosyna Keller
Technical Support/Carbon troll/Always needs a hug
Unsanity: Unsane Tools for Insanely Great People
It's either this, or imagining Phil Schiller in a thong.
John Stalberg
with MoAB, moabfixes would loose credibility (were it that exist).
I'm not even sure if these fixes isn't to much already by now!? The
pragmatic, "doing it for fun"-attitude moabfixes somehow breaths, may
take attention away from the seriousness of the whole thing. I
suggest moabfixes take a clear stand against MoAB by upfront
declaring you are not going to have anything to do with them. Any pre
views should go were they belong, to the developers of the
applications. Until we see that happen, there is no reason for
moabfixes to collaborate with MoAB in any way. On the opposite!
John Stalberg
> --~--~---------~--~----~------------~-------~--~----~
> You received this message because you are subscribed to the Google
> Groups "MOAB Fixes" group.
> To post to this group, send email to moab...@googlegroups.com
> To unsubscribe from this group, send email to moabfixes-
> unsub...@googlegroups.com
> For more options, visit this group at http://groups-beta.google.com/
> group/moabfixes?hl=en
> -~----------~----~----~----~------~----~------~--~---
>
Augie Fackler
On Jan 7, 2007, at 6:11 PM, Rosyna wrote:
>
> I think it's a horrible idea. These guys are just trolls looking
> for attention. And they're (well, LMH especially) aren't the
> brightest knives in the drawer. They get very, very simple things
> wrong.
>
> They also seem incredibly vindictive. They purposefully don't tell
> developers about bugs just to make more news. Look at the VLC one,
> they could have fixed it themselves, but instead they wanted to get
> their names out. Same for the OmniWeb issue, OmniGroup fixed it
> very quickly with their 5.5.2. but someone at the OmniGroup
> complained the MOAB trolls didn't even tell them about it.
I concur - the whole attitude of their site feels needlessly
vindictive against Mac users as a whole, and the software vendors in
particular. They're trolls, and I think doing anything which gives
them a "we're being responsible" leg to stand on is a Bad Thing,
because in my book responsible disclosure involves warning the vendor
ahead of time.
Landon Fuller
I think that I will have to respectfully decline LMH's offer of
coordination. I genuinely appreciate the gesture of goodwill, but I
don't feel that it is the right thing to do. I know some of you will
disagree with me (and some will agree) -- but upon reflection, I
can't personally compromise the ethical point, though the offer may
be very tempting.
I hope you'll all understand, and we can get back to bug fixes
quickly. Up next, the CoreGraphics patch I promised!
-landonf
toad...@hotmail.com
project since the beginning
And I am proud of what it has accomplished so far, and I wouldn't want
to damage its reputation.
I have to say, collaboration sounds great, but ethics out weighs it any
day of the week. I praise
you on your decision!
> PGP.sig
> 1KDownload