Today was WWDC. Today Apple released a beta of Safari [the Mac web browser] for Windows. Today was a good day for battles between Microsoft apologists and Mac fanboys.

But I’ve been in my battle someplace else. Today I’m here to express my sadness regarding David Maynor’s latest blog post. Of course, Mr. Maynor does not need to care about my opinions in the least bit - after all, his name is known in security circles well enough. I do respect his work - my ‘port’ of Ferret was a tribute to that - but I won’t hold back because of that.

First off, congratulations. There are bugs in beta-grade software. Important bugs, admittedly. So what would one do? Dump the product or report said bugs upstream in hope of a fix from the original developer[s]. Why do the latter? Well, as someone who would be concerned about the state of the Internet and the fact that security issues are an important reason for the pollution of the Web¹, it does sound like a reasonable thing to do. Sure, mr. Maynor has had previous run-ins with Apple which he reports as being of a negative nature - and, as such, has decided to withhold disclosure of security vulnerabilities to the Fruit. Fine, it’s his “Intellectual Property” or simply his right to do so.

What’s going to happen? I’m not the Oracle. What could happen? Safari final comes to Windows. Bugs are still - maybe just some, maybe all - there. Mister Maynor can laugh in the face of Apple for failing to fix them and then sell them to the highest bidder [granted, it will probably be a security company and not blackhats.] Another hit against Apple and some brownie points for ErrataSec.

I am disappointed by what I can only perceive to be dubious intent. A vendetta of sorts which will damage the users more than the companies involved [Apple, ErrataSec or any other third-parties that get drawn into this.] In light of the alleged gag-order imposed with regards to the Apple WiFi affair, I think another alternative means of distribution of said bugs could be found. I understand that mister Maynor has to pay his bills - it would be wise of more companies to offer bounties for the finding and reporting of serious security risks [as some do] - but his attitude does not encourage any kind of positive action to come about. While I do not vilify mercenaries in the security world, I do take issue with those inconsistent in their approach.

UPDATE: It seems something ticked him off, the trackback link was removed sometime during the day today. Wonder what that means…

UPDATE 2: Trackback now shows on ErrataSec. I see others were removed so maybe DM thought I was spamming. A trackback link should be used as a comment, generally, to let people know you’re talking about something they said.

1. MySpace would be in the top #10, no doubt [↩]

Not that I ever hoped otherwise, but miss Rich Bitch Hilton is out of prison. You’re all probably wondering why the heck I’m so bothered about this. I think such explanations aren’t necessary - just remember that we’re all supposed to be equal in front of and under the law.

natas of DDP fame just launched a website dedicated to caller ID spoofing. In his original blog post he mentions that every time he has posted information to Wikipedia, it got removed. As a direct result of that, all information on the aforementioned website is clearly protected, by copyright, against copying by Wikipedia.

I understand that not every piece of information deserves to be “out there”. While I tend to subscribe to that whole notion of “information wants to be free”, I do acknowledge the fact that certain kinds of information do not deserve attention¹. But, from quickly browsing his new website, I neither find the information to be inaccurate - mind you, I have yet to test it out extensively - nor in any way bordering on illegality. He actually deals with some of the legal issues that revolve around CID spoofing and what the future - if any - might be. Which begs the question of why did Wikipedia decide to remove it. I know the online encyclopedia does not necessarily aim to be, in and of itself, an activist website. Information is gathered, compiled and presented so as to best reflect what are thought to be facts regarding a given subject matter. In that sense there is already a minor form of activism - trying to filter out disinformation and rumours and keep to the facts is not something everybody, everywhere really wants².

Wikipedia must either go all the way or drop itself completely. Either compile and collect all this information - indeed, be an encyclopedia with all the glory and the responsibility - or blow the smoke screen. I know there have been previous controversies regarding [paid] vanity biographies, deleted users or facts that were deemed too “out there” to be posted publicly. I guess what I’m doing here is - remember to be skeptic in life. Everywhere. Even if 95% of the information on Wikipedia is of good quality - always push to find out more if it really matters. And always push those that would try to censor information that deserves to be public out of society’s way.

I ‘m also plugging natas’ website because I never thought phreaking is dead =)

1. I have discussed hate speech before, both as a free speech issue and otherwise [↩]
2. I have people in China that can attest to that [↩]