LMH of the MoAB contacted me regarding coordination of fixes. He has
posted the conversation.
I should state outright that I respectfully disagree with the
decision to release exploits with no vendor notification. I also am
not a security researcher, and as such I strongly prefer to recuse
myself from the heated debate and focus on providing fixes.
That said, the initial goal of this effort was to have some fun, and
to provide a quick fix for some serious issues. I never expected
anyone to notice, and was perfectly comfortable labouring away in
quiet obscurity. Lots of people noticed, however.
What do you think? Is it worth coordinating? Is it worth continuing
providing fixes?
-landonf
I think that staying out of the debate is a great idea, and let's take
whatever help we can get when it comes to actually fixing things. In
the end, everybody wins.
--
--------------------------------------
Remy Porter
Geek, artist, and
trouble maker extraordinaire.
If it involves a computer,
and you need it,
he can do it.
--------------------------------------
They also seem incredibly vindictive. They purposefully don't tell
developers about bugs just to make more news. Look at the VLC one,
they could have fixed it themselves, but instead they wanted to get
their names out. Same for the OmniWeb issue, OmniGroup fixed it very
quickly with their 5.5.2. but someone at the OmniGroup complained the
MOAB trolls didn't even tell them about it.
So it'd look really, really bad for all if they'd tell a third party
dev about a bug in software hours before the actual developer of the
app finds out.
Ack, at 1/7/07, Landon Fuller said:
>What do you think? Is it worth coordinating? Is it worth continuing
>providing fixes?
--
Sincerely,
Rosyna Keller
Technical Support/Carbon troll/Always needs a hug
Unsanity: Unsane Tools for Insanely Great People
It's either this, or imagining Phil Schiller in a thong.
John Stalberg
> --~--~---------~--~----~------------~-------~--~----~
> You received this message because you are subscribed to the Google
> Groups "MOAB Fixes" group.
> To post to this group, send email to moab...@googlegroups.com
> To unsubscribe from this group, send email to moabfixes-
> unsub...@googlegroups.com
> For more options, visit this group at http://groups-beta.google.com/
> group/moabfixes?hl=en
> -~----------~----~----~----~------~----~------~--~---
>
>
> I think it's a horrible idea. These guys are just trolls looking
> for attention. And they're (well, LMH especially) aren't the
> brightest knives in the drawer. They get very, very simple things
> wrong.
>
> They also seem incredibly vindictive. They purposefully don't tell
> developers about bugs just to make more news. Look at the VLC one,
> they could have fixed it themselves, but instead they wanted to get
> their names out. Same for the OmniWeb issue, OmniGroup fixed it
> very quickly with their 5.5.2. but someone at the OmniGroup
> complained the MOAB trolls didn't even tell them about it.
I concur - the whole attitude of their site feels needlessly
vindictive against Mac users as a whole, and the software vendors in
particular. They're trolls, and I think doing anything which gives
them a "we're being responsible" leg to stand on is a Bad Thing,
because in my book responsible disclosure involves warning the vendor
ahead of time.
I think that I will have to respectfully decline LMH's offer of
coordination. I genuinely appreciate the gesture of goodwill, but I
don't feel that it is the right thing to do. I know some of you will
disagree with me (and some will agree) -- but upon reflection, I
can't personally compromise the ethical point, though the offer may
be very tempting.
I hope you'll all understand, and we can get back to bug fixes
quickly. Up next, the CoreGraphics patch I promised!
-landonf
> PGP.sig
> 1KDownload