Thank you Gary....this is what I was talking about last night....
If an attacker is going to attack our services..I'd rather him have to start
from scratch and figure it out hilmself rather than be handed a gold key to
get in...
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Gary Mauer
Sent: Wednesday, December 22, 1999 2:32 AM
To: [EMAIL PROTECTED]
Subject: RE: [IMail Forum] [w00giving '99 #11] IMail's
passwordencryption scheme
> All I can say is EXACTLY. You never know. But think. Would you
> rather know there is a problem and get a patch for it or never know
> their is a problem and get your system compromised by an attacker who
> knows how to exploit the problem? I belive you would go with the
> former.
And all I can say is I'd rather the halfassed attacker didn't find out about
something like this the easy way - and I'd rather have Mike XXX work harder
to minimize the chance of that happening.
Gary Mauer
[EMAIL PROTECTED]
Host/Moderator of the Window Cleaning Network
- Your People, Product and Information Site -
http://www.window-cleaning-net.com/
Email Groups - 980 Networking Links
8 Bulletin Board and 21 Trade Show Links
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Mike
> Sent: Wednesday, December 22, 1999 12:28 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [IMail Forum] [w00giving '99 #11] IMail's
> passwordencryption scheme
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> > > Lastly, let me reiterate. There were no fees. I don't know where
> > > you came up with that assumption.
> >
> > I came up with the assumption while looking for the word "free" in
> > this statement...
> > > > Actually, If you read the patch information, I sent them an
> > > > email on the 13th and a second email on the 18th alerting them
> > > > of the problem and offering them my services to help rectify
> > > > the
> > > > problem. I received no response.
> >
> > So it's not about the money - and you do something else for a
> > living.
> >
> > But frankly, if this is a hobby of yours, I think I may be less
> > impressed.
>
> Actually, I do do this for a living. Although, in this instance, my
> work had nothing to do with this. I did this one purely on my own
> time.
>
> > I don't know why you publicized this thing- and I am not so much
> > concerned about the posting on this list as what went on elsewhere.
> >
> > People have threatened to cause problems with my services in the
> > past - mostly blowhards, I think, but you never really know.
> >
> > I just don't feel like you did me any favors, Mike - like my
> > situation is a little less secure because of all this.
>
> Well here is the reason I publicized this. If no one told the public
> that there is a problem with Imail's encryption scheme and the
> "underground"(I use this term loosely) had known about this, the
> underground would now have one more tool to elevate their privliges
> on a comprimised system.
>
> You are a heck of a lot less secure if the vendor and public no
> nothing, but the underground does. Publicizing problems when the
> vendor does nothing to rectify them forces them to do something and
> in my opinion betters the users of the vendor's software.
>
> You state:
> " People have threatened to cause problems with my services in the
> past -
> mostly blowhards, I think, but you never really know. "
>
> All I can say is EXACTLY. You never know. But think. Would you
> rather know there is a problem and get a patch for it or never know
> their is a problem and get your system compromised by an attacker who
> knows how to exploit the problem? I belive you would go with the
> former.
>
> Mike
> eEye Digital Security Team
> www.eEye.com
>
> Fingerprint:
> AD0F 16F9 0067 7772 EFA9 996F 9AD2 5F16 A6AF EA7C
> > Gary Mauer
> >
> > [EMAIL PROTECTED]
> >
> > Host/Moderator of the Window Cleaning Network
> > - Your People, Product and Information Site -
> > http://www.window-cleaning-net.com/
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBOGBvbprSXxamr+p8EQIhEgCfTipb5/7327SvxVcGkDv0PvraHSYAnivy
> PBO+nTQJBMR1dD7kQx4GbLEx
> =g3Vh
> -----END PGP SIGNATURE-----
>
>
> Please visit http://www.ipswitch.com/support/mailing-lists.html
> to be removed from this list.
>
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
