That´s business...
Ask Microsoft & co. We cannot think of where they were if there were no people releasing exploits and they have to fix it as fast as possible. Maybe we had Vista 3 on our computers and nobody would know Linux :-P

"That's business"

That's bull. Show me the hackers' company registration information. I want proof they're maintaining their books and paying their taxes. I want to know which company is responsible for the time I've wasted recently. I have an invoice for them to pay. If it really is business, then it has to have corporate insurance, and I charge a lot for my time.

I recognise that Microsoft, and a few other large corporations, have created almost all of the impetus and the transposed justification that these hackers use to hide behind when they release their code. However, it just doesn't stand up to reason when applying it globally, to every software developer irrespective of their individual situations.

The hackers describe themselves as "the security industry", but it's a lie. It's a front. They're phreakers. Phreakers are losers, because they find their exploits and they make their threats, they make demands with unreasonable or impossible time constraints and then they unleash their code under the pretence that "the company was warned".

I am not fooled by these morons, or what they want to achieve. I don't fall for their "we're doing the users a favour" crap. Not for a moment.

I don´t understand what you try to say me with your post. But i doubt it answers the reason of mine.
What I wrote ist that Microsoft & co have to spend many time on patching security and other issues and THIS is business (the way it´s going everywhere). In the example of LFS it is shown heavier because of only one programmer.

That´s not the thread to discuss this, because Scawen have to ignore more, for him unnecessary posts *gg*

Definitions of Phreaker on the Web:
A person who hacks (breaks into) telephone systems to make free long-distance phone calls at someone else's expense.

Quote :

The hackers describe themselves as "the security industry", but it's a lie. It's a front. They're phreakers. Phreakers are losers

Pmsl your so wrong its funny.Just shut up we could have released all the exploits with out telling the company we done the right thing by telling them and then we release the poc code.

I treat this company like i would have any other there is no law against what i or the other guy done and if you don't like it it's tough.This is the way the security industry works if you don't belive me do some research then pm me.

I will be more than happy to discuss the issues with any one over pm.We done the right thing just because we released the poc codes and told the developer's they better try and be quick about it because we wanted to release them.We could have just released them with out telling the devs or any thing.So stop bitching about it.

Unless you are in the security industry please don't comment on what me or the other guy oh yeh i think the developers were so bussy they couldnt talk to to us directly comon wtf.Then you try to pass the buck on to us who coded the game.Easy to pass the buck if you want to go that far we can take this alot further if you would like.

Quote from muhaa :

Pmsl

here, take this.

nvrmm your a bunch of immature kids.I really cant be bothered with this crap.Oh they hurt our little game and blah blahblah.Get over your self,And grow up.

If you want to contact me via pm to discuss it im more than happy to answer any questions but before you do read this the whole thing.

http://www.securityfocus.com/columnists/391

please leave it as that i don't want to go off topic again

Quote from SamH :

Show me the hackers' company registration information.

E.g. http://www.securityfocus.com/contact, new exploits appears here every day.

I suggest: moderators please create a new thread in the Offtopic section and move offtopic posts from here to the new thread. Every discussion about server bugs in x10 ends with this. To stay offtopic, as I wrote somewhere, I support full disclosure.

Quote from muhaa :

they hurt our little game

Actually, you didn't. I very much doubt many people will get 'hurt' by the tiny little exploit that exists in replay files. It's not really that serious at all (although I'm sure it will be fixed). Don't try to make it sound as though you are saving the world, as you're not. You're just an immature amateur looking for feint recognition.

Quote from muhaa :

We done the right thing just because we released the poc codes and told the developer's they better try and be quick about it because we wanted to release them.

Funny how you change your mind so quickly...
Well, finally it's not funny.
You just don't remember your own words:

Quote from muhaa :

this is safe with me untill it's patched i wont release it till then after patch then i will becouse i can still release the poc after the exploit has been patched.

Quote from muhaa :

Like i've said im not going into detail's about this un-till there is a patch released for it.

Quote from muhaa :

nvrmm your a bunch of immature kids.I realy cant be bothered with this crap.Oh they hurt our little game and blah blah blah.Get over your sefl.And grow up.

Kettle, meet pot.

Pot, kettle.

Anyway, seems like you really "learned" from your mistakes...

Quote from muhaa yesterday :

I will learn by my mistakes im sure for future releases of any other exploit or poc code.I take this as a valid learning lesson on which i will be more than happy to improve in the future.People make bad mistakes and often make bad decision,But if i could change things i would.Can we drop it before people start to flame.I've admitted i made a mistake and thats all i can say.

Less than 24 hours later...

Quote from muhahahawhatajoke :

We done the right thing just because we released the poc codes and told the developer's they better try and be quick about it because we wanted to release them.We could have just released them with out telling the devs or any thing.So stop bitching about it.

It's ok though, I don't think anyone believed you the first time.

On the plus side for the devs and hosters for whom muhaa is a pain the arse, it's soon school term again. Apologies to devs and any hosters involved with this thread for the off-topicness.

You guys need to know what your actually talking about i was advised after i wrote that i had done nothing wrong by loads of people who i took advice from.Im not in the wrong here.

now stop going on about it.

If you have any questions you can contact me via pm like many others have done which i will say was alot more reasonable than some people in here.I don't care about public recognition i tried to report a vouln thats it if you don't like it tough.The devs should use better coding standards simple.

I've moved the O/T posts to their own thread in O/T

Quote from muhaa :

I don't care about public recognition

Of course you don't dear...

Quote from Scawen :

you found the file reading vulnerabilities and you asked us to post something recognising that you found them.

It's ok though, I don't think anyone believed you in the first place.

(Cheers Sam )

@SamH
now you cut my post out of a context. I don´t wrote from exploiting beeing business. I mean that a company has to take much time to fix security issues. But right at least both are the same

Im not even going to bother to feed some trolls i just lost the will to argue over some thing so stupid as this..

Quote from CLRS530 :

@SamH
now you cut my post out of a context. I don´t wrote from exploiting beeing business. I mean that a company has to take much time to fix security issues. But right at least both are the same

Sorry! I didn't mean to break the context. You fixed it with this post

Quote from Kada_CZ :

E.g. http://www.securityfocus.com/contact, new exploits appears here every day.

You're saying this is the company responsible for releasing the code which has wasted my time?

Quote from SamH :

I want to know which company is responsible for the time I've wasted recently. I have an invoice for them to pay. If it really is business, then it has to have corporate insurance, and I charge a lot for my time.

Personally I think it's a good thing. The more potential exploits they find along the way, the more secure the final product will be. But I refuse to believe it's not all about ego. Otherwise crack teams wouldn't spend god knows how long designing ASCII art logos.

And specifically to this case, if you were so noble you'd never have mentioned it on here and simply emailed Scawen right away to inform him of the potential problem. So far I've seen a handful of threads and a dozen posts boasting about it. Not just an ego trip? Right then...

If any one is responsible it the devs simple as that.They coded the game they used bad coding practice which there is no excuse for.Every post ive saw with the same people trying to make it out as if im doing this for some sort of ego trip.Which is not the case im not even going to argue with any one unless they have a valid argument in the first place actually know what i done and why.

You forget im s2 licence i payed for the game and i would like it secure also.

Quote from muhaa :

If any one is responsible it the devs simple as that.They coded the game they used bad coding practice which there is no excuse for ..

That's a rather pointless "I am on my high horse" sort-of-argument. Just do yourself a favour and don't dig yourself any deeper into this.

Well i didnt code the game if the code was safe there wouldnt be any thing to worry about.!!

Muhaa, I think if you want to stop people going on about whether you did the right thing or not, you should shut up. Of course, if you don't, then I think it'd be reasonable for everyone to take that as a green light to say what they think about the whole thing too. You make your choice.

Sure it is. If I develope a program I´m proud of it. Why not. If I find a very hard bug it´s the same.
With software from other deveolpers where you don´t know the source code it´s a much bigger challenge and you could be proud if you find a fix or a exploid but the question is what you do with those information... Spend your energy to the good or bad side

Quote from muhaa :

Well i didnt code the game if the code was safe there wouldnt be any thing to worry about.!!

If you trully wanted the game safe you wouldn't endanger it's safety by going public before it was patched and you could release your proof of concept for everyone interested to see after it was fixed.

You didn't do that, but you said you were sorry for not doing so and won't do it again. All the community can do is take you on your word and hope that you indeed do so. So let's just leave it at that and not start throwing blame and holier/codier-than-thou remarks around, yes?

No i think if im willing to except some part of the blame the developers should take some responsibility,You forget like the above post mentions i didn't have the source code reverse engineering is not an option as it is illegal.

Im not saying the code is bad or any thing i wouldn't like to code the whole game i can imagine the amount of time and stress and problem solving that go into a project like this.And it can be easy for a compiler to change some functions making the compiled application which looks safe on code but when the completed binary is released not so safe.

I still stand by to what i done i think i could have may be given alot more time before releasing the poc code maybe 2-4 weeks which is fare enough.But i was right to release the poc code this is what i do i test software for bugs.This is the guide lines and ethics i follow

1)find bug

2)contact developers

3)release poc code

Simple as that and that is for any company.I just think this is a massive witch hunt,Your all directing your anger at me when im not 100% responsible for the bugs i cant surly be held responsible for the whole thing.

If the developers had took the time like i did to write a whole description on the bug i wrote a full page in a txt file which took over 2 hours to write and collect all the information,But they couldnt just get in touch i mean the developers not some messenger,And then all of a sudden nothing.

I asked for 1 thing only and that 1 thing was if i kept the pocs none public would they let me know 3 hours before they released the patch so i can get a cv number for the exploit that was the only request i asked.I asked them 4 times nothing come back.After i made the post on this forum in the bugs section i received alot of bad mojo from most of the community this had alot to do with why the poc was released.No one was taking me seriously so i released them.

I think the game will be 100% safe when the release comes out the new y patch which im looking forward to.If the bugs had been found after the final lfs2 came out i think it would have been alot worse for the developers.Yes it was a bad timing with all the stuff that has happened over the coming month with the hacks and stuff but there is never a good time to tell the developers about problems.