Am 03.01.2008 um 01:20 schrieb Roflek of TK53:
> On Jan 3, 2008 12:48 AM, Christoph Cordes <[EMAIL PROTECTED]> wrote:
>> Let's leave the technical part out, since this is not a technical
>> issue as it seems. Tomasz did not deny anything, he just said that
>> this are minor issues. I fully understand that your ego gets pushed
>> by seeing your nick in a post on FD and you simply can't cope with
>> opinions that differ that much from yours. Somehow i suspect this is
>> something personal, not technical.
>
> Yes, I'm evil, I'm mean, I need ego boosts by posting on FD. You
> totally caught me.
Don't try to bend my words in a way you can make use of them. I did
not say you're evil or mean. All i said is that your ego gets pushed
by seeing your nick on the FD list. That's not even selfish and for
sure not evil or mean - it's just your way to get a kick - others
jump from bridges with a rope around the leg. I don't have to like
it, but i understand the motivation. The point were things get
complicated is your obviously personal attack against people that
have a opposite opinion. This is not an acceptable way to discuss
things in a public forum.
>
>>> Or is your denial simply the result of the personal hurt because all
>>> types of security groups pwn teh shit out of ClamAV? Better be happy
>>> that at least somebody audits your code, or take the next step:
>>> rigorously audit the code by yourself.
>>
>> Oh wait - if you talk about security groups i hope you don't think
>> this includes you?! Security groups are usually not interested in
>> "pwning the shit out of something" - that's what kids do.
>
> "pwning the shit" is merely the ironic exaggeration of the bad
> security record of ClamAV in the last 2 to 3 years.
Nice excuse. But failed. I look at your mail address, i see the
subject - irony is a fine art - and we are both no artists.
>
>> The
>> security groups we worked together till now usually have a clue about
>> responsible disclosure and things like that. If you really would give
>> a sh*t about security and/or if you would believe that the
>> "vulnerabilities" you found are that severe, you would follow the
>> common guidelines of disclosure. But hey, it's not about security, is
>> it?
>
> Responsible disclosure is just one opinion about how vulnerabilities
> should be published, and I don't share this opinion, nor do I want to
> be forced into such a process. In fact, too often so-called
> "responsible" disclosure has been used to either sweep issues under
> the rug or to abuse and/or sue security researchers.
There are enough ways of disclosure without the risk of being sued or
abused. but this usually comes with the disadvantage of anonymity -
But that's usually not a problem for people who care about security
and not about credits.
>
> BTW, I never claimed that the issues that we found are severe (I find
> the severity scores incl. their subscores in CVE-2007-659{5,6} to
> match pretty well). At least I don't deny that there's a bunch of
> locally exploitable vulnerabilities in ClamAV, and if I had access to
> the SVN repository, I would commit the (trivial) fixes to it, instead
> of asserting that the described vulnerabilities aren't a problem
> without fully understanding the implications of symlink races (the
> flamebait subject says it all).
So what's the point? You started flaming right after Tomasz declared
the reported issues as minor. Now you just switch to a completely
other behavior, you agree that this are minor issues. You want to be
taken serious? OK - then stop personal attacks, write your mails,
wait a day, read them carefully, make sure you can really stand your
ground and if you're sure about it - hit the send button. And if
you're not sure : Let it be!
>
>> Thanks for reporting the bugs.
>
> You meant vulnerabilities.
No, don't try to tell me what i mean. I wrote "bugs" and not only
because the word is easier to spell.
--
Best regards,
Christoph
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
