Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: Previous12
Current Page: 2 of 2
Re: Message to Google / YouTube
Posted by: Mongo
Date: June 26, 2007 11:07AM

Ronald Wrote:
-------------------------------------------------------
> I don't understand you guys do this for free.
> Spend all your free time for nothing, and their
> programmers clap into their hands while you guys
> do all the work.

Personally, I think it is fun. Why else would anyone do it? Besides if someone is doing it as a profession.

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: Anonymous User
Date: June 26, 2007 11:42AM

@Martin

Well, it is a bit naughty that's all. ^^

Now they get a free lunch for hours/days of work. And rest assured you never get a job this way -if someone is interested in a full-time security job- You won't get it by submitting them bugs, instead make a deal with 'em. 50% bugs upfront for x number of $. You have nothing to loose anyway, and if it was illegal, we'll be all sitting in jail right now.

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: Martin
Date: June 26, 2007 12:00PM

@Ronald: I suppose it all depends upon how it is phrased. If you say "give me $x or I will release these bugs" then that can be construed as extortion and blackmail which is certainly illegal under UK law. If you say "are you guys interested in giving me $x for some vulns I found" then perhaps this would get around that... basically it shouldn't be threatening in tone.

http://www.the-mice.co.uk/switch/ Switch/Twitch
http://code.google.com/p/dotnetids .NETIDS

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: beford
Date: June 26, 2007 04:09PM

I'm a bit late to this thread, however I'm not sure if I'm the only one that thinks this about the post:


Options: ReplyQuote
Re: Message to Google / YouTube
Date: June 26, 2007 04:44PM

shes got my attention O.o

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: kuza55
Date: June 27, 2007 12:16AM

beford Wrote:
-------------------------------------------------------
> I'm a bit late to this thread, however I'm not
> sure if I'm the only one that thinks this about
> the post:
>
> http://www.encyclopediaofstupid.com/stupid/images/
> thumb/d/d0/300px-Attention_whore3.jpg

At heart a lot of security researchers are attention whores (me included, :p), it doesn't make anything they do any less valid.

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: christ1an
Date: June 27, 2007 04:53AM

Beford if you really think so, please go back off in your corner. Obviously you did not understand a thing about all this.

Regards,
- http://christ1an.blogspot.com

_______________________
[[url=http://php-ids.org]php-ids.org[/url]] Web Application Security 2.0

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: beford
Date: June 27, 2007 09:02PM

christ1an Wrote:
-------------------------------------------------------
> Beford if you really think so, please go back off
> in your corner. Obviously you did not understand a
> thing about all this.

I dont understand why you need to make it a big deal, you claim that they didn't answers your mails, did you contact them to their official address security@google.com? Last vulnerability I reported to Google took 15 hours to get fixed, I just sent one mail, explaining the issue, they answered my mail in less than 1 hour, and the next day, the flaw was fixed.

*goes back to corner*

Options: ReplyQuote
Re: Message to Google / YouTube
Date: June 27, 2007 09:18PM

I prefer to just disclose vulnerabilities publically, but not bother to even contact the vendor, because it seems like too much of a hassle, and I have only had bad experiences with it.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: Anonymous User
Date: June 28, 2007 12:04AM

@ ALL

I'm glad we are all people with different opinions, otherwise it would be a boring place! ^^ Ghehe...

But to continue with the topic, I think that large companies as Google need to have a special page on their site where you can submit bugs more easily. Like a form with a submission code and login credentials where you can see the status of the flaw. Because it is so annoying when you send a big mail, spell checking the thing and get no answer. Disrespect full and left me in the place where I am now: I disclose anything on my site. I don't care, if they read it's fine, if they don't it is still their problem, like it was in the first place when I found it.

Google/Youtube has enough money and power to build a small script that scans all their apps daily for vulnerabilities, but they don't. They don't care, that's it. And neither do I in the end.

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: christ1an
Date: June 28, 2007 07:31AM

Quote

I dont understand why you need to make it a big deal, you claim that they didn't answers your mails, did you contact them to their official address security@google.com? Last vulnerability I reported to Google took 15 hours to get fixed, I just sent one mail, explaining the issue, they answered my mail in less than 1 hour, and the next day, the flaw was fixed.

*goes back to corner*
I apologize for my offense beford. I never intended to make such a big deal about this. The fact is, I contacted them a couple of times without receiving an answer. At the same time, the number of vulnerabilities rose each week or so. So I had to force them to contact me. The only way to make that happen was through sla.ckers because I knew that they read here.

I honestly never thought that so many people would write about it. Didn't expect more than 3-4 answers on this thread. So neither calling me an attention whore nor claiming that I was claiming this or that is right in this case.

Glad to hear they have taken care of your reports so fast.

Regards,
- http://christ1an.blogspot.com

_______________________
[[url=http://php-ids.org]php-ids.org[/url]] Web Application Security 2.0

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: Anonymous User
Date: June 28, 2007 06:17PM

Exactly.

Christian and I talked about it before disclosing it here, and Christian is a very upstanding guy. He only posted it here because he knew the Google/youtube devs have this forum somehow in a feedreader. Media whores post it slashdot/the reg.

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: beford
Date: June 28, 2007 06:39PM

christ1an Wrote:
-------------------------------------------------------

> I apologize for my offense beford. I never
> intended to make such a big deal about this. The
> fact is, I contacted them a couple of times
> without receiving an answer. At the same time, the
> number of vulnerabilities rose each week or so. So
> I had to force them to contact me. The only way to
> make that happen was through sla.ckers because I
> knew that they read here.
>
> I honestly never thought that so many people would
> write about it. Didn't expect more than 3-4
> answers on this thread. So neither calling me an
> attention whore nor claiming that I was claiming
> this or that is right in this case.
>
> Glad to hear they have taken care of your reports
> so fast.

Anyways, is good that Google took care of contacting you to fix these issues, the bad thing about my vuln report is that I didnt get the tshirt :( I'm sorry for posting the 'attention whore' pic, but thats how I was getting this thread.

Options: ReplyQuote
Re: Message to Google / YouTube
Date: August 02, 2007 05:20PM

I was having fun with Christ1an's exploits he identified on his blog a while ago. I'm assuming they were included in the 40+ revealed to Google because they're patched. Are there any left that anyone knows about mentioned anywhere on the net? (it's probably hopeless but I thought I'd ask)

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: christ1an
Date: August 03, 2007 02:35PM

Actually, it's not hopeless at all. Just wait for the next upgrade and you'll find some.

Regards,
- http://christ1an.blogspot.com

_______________________
[[url=http://php-ids.org]php-ids.org[/url]] Web Application Security 2.0

Options: ReplyQuote
Re: Message to Google / YouTube
Date: August 06, 2007 05:31PM

I'm not sure what to say. I want to say "thanks for the hope" but it sounds funny.



Edited 1 time(s). Last edit at 08/06/2007 05:32PM by digitalIllusionism.

Options: ReplyQuote
Re: Message to Google / YouTube
Posted by: christ1an
Date: August 08, 2007 12:56PM

For the record, I checked yesterday and again found some reflective XSS flaws on their site. Obviously they don't care, don't listen, don't do anything but shooting new vulnerable features. I'll keep having an eye on 'em but surely not forever.

Ah and, did I mention that the Google Security Team doesn't really deserve that title? Pretty funny actually, seems like Google's employees have raffled who makes it into this pseudo team :) Gotta love this world

Regards,
- http://christ1an.blogspot.com

_______________________
[[url=http://php-ids.org]php-ids.org[/url]] Web Application Security 2.0

Options: ReplyQuote
Pages: Previous12
Current Page: 2 of 2


Sorry, only registered users may post in this forum.