Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: Previous12
Current Page: 2 of 2
Re: Official wall of shame
Posted by: rsnake
Date: September 30, 2006 04:59PM

To add one more problem to this though, one would argue that it completely depends on the type of disclosure. We aren't spamming email lists, or emailing the companies directly. One would argue that because they aren't surfing every bulletin board in the world they aren't doing due dilligence but that's kinda throwing the baby out with the bathwater. Without doing the full disclosure policy through something (at least a modified verions of RFPolicy) it's not a particularly good guage of that. I dunno... I'm just not sure what value that would provide since it wouldn't be a consistant baseline.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Official wall of shame
Posted by: metal_hurlant
Date: September 30, 2006 10:12PM

Yup.
Without notifying affected sites of a problem, we can't hold them accountable for not fixing it.
On the other hand, I typically spend longer hunting down a reasonable security email address for a site than it took to find the problem in the first place.

Would it make sense to have the "wall of shame" incorporate a "best effort" notification mechanism? (I'm thinking whois email scraping with the option of overriding that if a better email contact is found somehow. A deluxe option could scrape homepages for links that m/contact|about/ then scrape those pages for email addresses as a stronger attempt to get someone's attention.)

Other random feature requests for this setup would include a few "top 10" lists, such as "top 10 XSS finders", "top 10 XSS finders this month", "top 10 domains with XSS", etc..
Those kind of little niceties would provide a small yet fun incentive to contribute (a bit like http://www.zone-h.org/component/option,com_topatt/Itemid,48/ , but without the whole unauthorized computer access aspect.. )

Options: ReplyQuote
Re: Official wall of shame
Posted by: rsnake
Date: September 30, 2006 11:41PM

That is actually not a bad idea at all (the top lists). The problem is verification, so it might have to be an honor system. Another idea that came to mind is some sort of list of security email aliases. So if I want to disclose issues in company.com I just do a lookup and get the email address assocated with the security folks there. It would require maintenance, but I'm sure it wouldn't be too hard to put together.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Official wall of shame
Posted by: Kyran
Date: September 30, 2006 11:54PM

Perhaps we need a wiki ABOUT sites, email etc.
and a different area altogether for disclosure/lists/etc

- Kyran

Options: ReplyQuote
Re: Official wall of shame
Posted by: rsnake
Date: October 01, 2006 01:12AM

That's not a bad idea... id and I'll talk it over.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Official wall of shame
Posted by: Kyran
Date: October 02, 2006 11:17PM

So, how did the talk go? Assuming it happened lol

- Kyran

Options: ReplyQuote
Re: Official wall of shame
Posted by: rsnake
Date: October 03, 2006 12:09AM

It hasn't... id and I haven't really had a chance to talk since the weekend in dealing with the nukecops fallout... too many things going on at once. We'll chat though, don't fear!

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Official wall of shame
Posted by: id
Date: October 03, 2006 02:06AM

I was too hung over today and had too much to do, I should take mondays off. Make an Office Space reference and I will punch you in the face, twice.

-id

Options: ReplyQuote
Re: Official wall of shame
Posted by: WhiteAcid
Date: October 03, 2006 04:20AM

Is it me or are you always hung over?

//me goes down for another can, maybe pick up breakfast too.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Pages: Previous12
Current Page: 2 of 2


Sorry, only registered users may post in this forum.