Re[2]: [Full-Disclosure] Correction to latest Colsaire advisories

Dear advisories,

--Tuesday, September 14, 2004, 2:03:31 PM, you wrote to full-disclosure@lists.netsys.com:

a> It's always good to be correct(ness).

a> At the time the research was conducted (August 2003) we obviously
a> looked around for as much information as possible prior to
a> commencing. There were a number of individual MIME issues around, but
a> most were single-product vulnerabilities. If the 3APA3A white paper
a> you refer to was in existence at this time, it was not one we
a> encountered.

http://www.google.com/search?q=content+filtering+bypass

It was very hard _not_ to find this whitepaper (and few more issues,
BTW, I need to update it :-) .

a> It has also been recently updated to include the latest
a> information, so I can not comment on its previous content.

This is content of initial post (February, 2002):

http://www.securityfocus.com/archive/1/256619
http://www.securiteam.com/securitynews/5DP0I206AY.html

I teach first year students to Google search. Do you want to hire me?

a> The Corsaire research project produced test cases for around 200 working
a> attack vectors, that when passed through the top 10 content products
a> produced over 800 individual vulnerabilities (needless to point out that
a> there are a lot more than 10 products in this arena).

And lot more than 200 attack vectors.

This is a really serious work for serious company. Of cause, poor, busy
and tired 3APA3A can not do it alone. 80% of his attempts to contact
vendors with the cry to test their products failed. Your work is really
great, but: I see no results of your work: a list of vulnerable
products.

200 x 10 table is 3 screens of data. Why not to publish it instead of
~10 uninformative advisories? What is impact of this advisories except
self-advertising? I have some experience in this area, but I can't
identify exact problems from provided information except issues I
already know. How this information helps vendors to secure their
products? How can you prevent same bugs from appearing in future
products if you do not disclosure details? Should they all buy your
services to get more detailed information?

-- 
~/ZARAZA
Ñòðåëÿÿ âî âòîðîé ðàç, îí èñêàëå÷èë ïîñòîðîííåãî. Ïîñòîðîííèì áûë ÿ. (Òâåí)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html