[Full-disclosure] Security Researcher Not Particularly Humiliated

[nytrokiss at gmail.com (James Matthews)]

Well all i have to say is that it's real 0-day!

On 4/8/07, George Ou <george_ou at lanarchitect.net> wrote:
>
> Yeah that's a stupid accusation against you Raven.  He was suggesting
> somehow that if you get your machine owned then you can't be protecting
> other people's computers or something and that was really retarded.  Yes
> he
> WAS a troll.
>
> As for Apple going to the press to humiliate you, that's very typical of
> their PR operation.  After the SecureWorks incident and after I spoke with
> their PR, I know them all too well.  But even I'm shocked that they would
> bring your boyfriend in to this.
>
> Thanks for taking the tough questions from the audience.  Don't mind this
> jerk and don't mind Apple.  You have nothing to be ashamed of.  Keep up
> the
> good work.
>
>
> George Ou
>
> -----Original Message-----
> From: full-disclosure-bounces at lists.grok.org.uk
> [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of Raven
> Alder
> Sent: Sunday, April 08, 2007 2:00 AM
> To: full-disclosure at lists.grok.org.uk
> Subject: [Full-disclosure] Security Researcher Not Particularly Humiliated
>
> Hiya --
>
> > Security conference staff needs to do a better job of screening
> > their audiences to prevent this sort of harassment during
> > presentations. I must admit that I am afraid to present at future
> > conferences if there is the possibility of being humiliated like
> > this during my talks.
>
>         As the researcher in question, I didn't feel particularly
> humiliated.  Sure, I thought the guy was a troll, but I figured that he
> was just being a jerk to me because he had some chip on his shoulder and
> couldn't find anything to complain about in my talk.  But really, his
> big tac-nuke against me was that there was some undisclosed bug in
> Apple's code?  That's hardly my fault.  I don't write their OS, and the
> thing was fully patched, firewalled, hardened, and still got popped.
> Shit happens.
>
>         I didn't go public with it because I wanted a smoking gun first.
> Security is very much a "show me" industry, and I didn't want to make
> claims that I couldn't substantiate.  I did approach Apple, and they
> pretty much blew me off.  I sent them a detailed event report, offered
> up my system for forensic analysis, and offered to help in any way I
> could.  They went to the press, gave a reporter my name (I had not gone
> to the press), and dished some crap about how I let my boyfriend use my
> computer and he probably did something to disable my firewall and cause
> it to auto-own itself or something.  Dude.  My boyfriend does not have
> admin permissions on my machine, for starters.  Way to help, Apple.
>
>         After realizing that Apple were not my friends and were more
> interested in their PR spin than they were in finding and fixing the
> problem, I stopped talking to them.  I had several OS X geeks have a
> look at the system, and none of them were able to find anything more
> conclusive than I did.  Forensics geeks, same thing.  So, I dumped the
> filesystem for posterity, vowed that no OS X box was going on a hostile
> network again, and reformatted the thing.
>
>         Sorry, folks, but I'm not going to share my filesystem dump with
> people that I do not already know and trust.  Don't even ask.
>
>         Not even if you're Apple.  You leak my name to the press when
> I'm trying to help you find your flaw, you get no more help from me.
>
>         All of this is pretty irrelevant to the talk I gave.  Still, I
> don't feel that audience screening is the way to solve the problem -- I
> don't want to quash honest questions and interest in the projects I'm
> working on, and I think any screening that wouldn't be trivially
> defeated by lying-fu would be draconian enough to be detrimental to free
> and open discourse.  There are always going to be trolls.  I think the
> audience and convention response was about as good as it could have been
> -- the troll got told off by several people, two of them with the mike,
> but it was pretty clear that most people were more interested in the
> technical content of the talk than they were in his effort to get my
> goat.  The conference organizers offered sympathy, and that was kind of
> them; I believe the guy got pitched out of the con for going on to
> harass a few other folks too.  Charming gent.
>
>         So, really, I don't think I have anything to be ashamed of, and
> I certainly don't feel humiliated.  I can see why getting ad hominem
> questions might make getting up on stage more intimidating for future
> speakers, but I don't intend to let that shut me up.  [grin]
>
> Cheers,
> Raven
>
> --
> @
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
http://www.goldwatches.com/watches.asp?Brand=39
http://www.wazoozle.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070408/96ec56ab/attachment.html