Date: Thu, 31 May 2018 19:57:02 +0100 From: Pete Batard <pete@...o.ie> To: Stefan Kanthak <stefan.kanthak@...go.de> Cc: oss-security@...ts.openwall.com Subject: Re: CVE request: rufus On 2018.05.31 19:04, Stefan Kanthak wrote: > As always, your poor reading skills perfectly match your poor programming > skills. Ad hominem. > "We" wait until the requested CVEs are assigned for both well-known > vulnerabilities. Again, what happened to responsible disclosure? > DLL spoofing was VERY well known long before 2016, and it is neither restricted > to the CWD nor to runtime linking: You are deliberately misinterpreting what I said. In 2016 there was a new DLL side loading vulnerability that made the rounds, and that we mitigated against. Your interpretation that our response means that we believe that no other DLL spoofing vulnerabilities can exist, or that a "mitigation" step is a last stop is incorrect, especially was we clearly mentioned applying "some mitigation" factors (emphasis on "some"). But considering that you have clearly chosen to (mis)interpret anything we might say in the manner that will fit your pre-planned narrative, I'm not going to ask you to re-read what I wrote, because your judgement appears to be irremediably clouded. > Until then, to protect your users, remove Rufus from the net! I will only say this once: Unless you stop acting like an asshole, and act in a professional manner by treating the people you are dealing with with courtesy and respect (regardless of your *personal* views of whether they deserve it or not), I have exactly zero interest on following up with you. I've long been trying to deal with people behaving in a disparaging and less than courteous manner to know that it is simply not worth anybody's time to try to humour them with maintaining communication. So either you start behaving in the professional manner one is entitled to expect when developer and security people interact when trying to improve on software security, or this is the very last communication you will receive from me. >> And of course, with proper non disparaging involvement of security >> researchers, who subscribe to the established responsible disclosure >> policy of their profession, we are always eager to improve on our >> mitigation fixes, if it turns out they aren't adequate. >> >> However, we would appreciate if you refrained from jumping to erroneous >> conclusion about Rufus development being conducted by "bloody >> beginners", when it is clear that some of the "beginner's" >> vulnerabilities you list have long had some mitigation factors applied. > > I recommend to read the advice other people gave you on > <https://github.com/pbatard/rufus/issues/1009>: SOME mitigations are > clearly NOT sufficient, especially if you choose to apply the WRONG > and IMPROPER mitigations. Ah, yes, good old #1009. The same one where, if you do your research, you'll find that a reputable security researcher did not apply responsible disclosure, but instead opened a super generic issue about not using SSL, and then, because they were dissatisfied with the initial response they got, did the very unprofessional thing of not following up by demonstrating the vulnerability (which they had allegedly uncovered *before* they created the issue tracker report, but curiously chose not to report then), but instead took to twitter to show a pseudo-vulnerability (where a clear message was issued by Windows that the payload they were trying to execute should not be trusted), to rally a bunch of followers, and, because of a position they could abuse, created a CVE request just to show this puny developers that we are how they should not try to mess with security people... Yup, another prime example of professional behaviour if I may say so. But of course, once the mob is leaning one way, inconsistencies with the original narrative of one of the parties is a lot more difficult to put into light... I really have to to wonder what the heck happened to responsible disclosure. Or are security researchers no longer interested in helping developers fix their applications in a professional manner, if they can demonstrate a vulnerability, but only in publicly pointing the finger at someone to boost their ego? Oh, and all of #1009 had to do with the update mechanism (not DLLs or tmp files vulns), for which we applied proper mitigation as soon as they were disclosed to us (rather than a blanket "We'll just switch to SSL, that'll fix everything", which is the wrong approach). So your hyperboling its limited scope to try to fit your narrative falls a bit flat. But nice try in using WRONG and IMPROPER in all caps, without providing factual information to back these claims up. > PS: I might even show you that pasting the string "rufus.com" to the > window which has the focus yields interesting effects. You might do whatever you want. But until you are prepared to cooperate in a professional and courteous manner, I am not interested with anything further you have to say. So either you get off your high horse, stop this ego trip, and agree to collaborate in a responsible manner in the issues you think you have uncovered, or you hand them over to someone who will, because, as much as I care about Rufus users having the most secure application I can produce, I genuinely have no interest in trying to pursue further communication with you. So, at this stage then, the ball on demonstrating that you truly care about protecting the security of application users is entirely in your camp. And for those who may disagree with that last statement, and think that I should just ignore the abuse and look into the technical aspects (still none of which have been provided in a *specific* attack scenario against Rufus that can be both investigated and analysed), please be mindful that all I am asking here is common professionalism, courtesy and respect. Regards, /Pete
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ