Can one of the developers get in touch please i had pm one of you guys and no reply i have some information that will benefit the lfs community.

I'm trying to go about this the right way unlike the communication problems we had last time.

I'm not going into the bug publicly so don't ask any question this is not debate.


I don't want a repeat from last time ive sent you guys emails and pms.I want to work with you guys rather than against so please hit me up on my email so i can forward the code.

If you guys at least make an effort to communicate with me about this bug things can go alot more easy.

My contact details.
[email protected]

Quote from muhaa :

I'm trying to go about this the right way unlike the communication problems we had last time.

I'm not going into the bug publicly so don't ask any question this is not debate.

Then send an email to the devs. Posting here isn't going to help, I'd highly doubt that the devs contact everyone who claims to have some "valuable information".

BTW, posting your email on a public forum != smart

I don't see the problem with contacting the devs themselves. No doubt they will give you a reply if they feel it is necessary.

You know what i only posted this for the developers if they think i don't have information that will help them i can just make it public once again then i get Flamed For releasing the information and making the vulnerability public.

That email is just a email for my exploit development work that's all.If you guys can only flame don't post please.

Woot bob i did not realize you where from the northeast :_)
I lived there most of my life.

I have pm vic and waiting a response im not sure how many developers there are in the team and maybe vic is away on vacation or some thing so i though i might try see if there is another developer on these forums.

If you go to the site and click report bug it brings you here to report a bug but.Because it can put other lfs users at risk i cant post information on here.I don't have the developers email address if some one could pm me that would be great.

<email address removed> is the email address you're looking for, I would imagine.

Edit: Please do not publically post that email address, this is due to issues with spam. You can use the contact form on the lfs.net website for the same effect - Bob

Edit 2: Sorry! Mp3 Astra

http://www.lfs.net/?page=contactus

/thread

Who are the devopers anyway?

They're millionaires!
In old Italian Lira

They're called developers.

Quote from TexasLTU :

They're called developers.

http://www.youtube.com/watch?v=8To-6VIJZRE

:d

Quote from GP4Flo :

http://www.youtube.com/watch?v=8To-6VIJZRE

is that guy sweating so much because of saying developers 14 times?

Prefer this one

http://www.youtube.com/watch?v=CZr2qXVlEcs

Oh well i can say i did try 4 to 5 times to get intouch with the devlopers.Im going to just make it public if they are no that bothered.
i can get a unlock faster than they can get back to me not even an email.If i get no word back from any of you guys ill just take it that you don't care about the implications of this bug and will go full public disclosure..

Shame on you

Quote from SilverArrows77 :

pathetic..go make idle threats elsewhere, Do you really think with all the reports they get about various matters that they are going to drop everything and jump to your attention within 24hrs, expecially when you have started this as an idle threat from your opening post.... "do this now , or i do this..." .. Grow up and get a realistic hold on your ego.

He did exactly the same shit one year ago or so.

They have 1 week to at least make an effort to get in touch.They have up until the 10th of june to get in touch with me if nothing then i will go with full disclosure fair ?
I've been trying to get in touch with them for over 2 weeks now.

You forget i put allot of time into testing bugs and developing exploits so you guys can have at least a half safe application to run on your computer.


If i get no word back from any of you guys ill just take it that you don't care about the implications of this bug and will go full public disclosure..


That is not a threat that's how it works.

Quote from muhaa :

they have 1 week to at least make an effort to get in touch.they have up until the 10th of june to get in touch with me if nothing then i will go with full disclosure

If i get no word back from any of you guys ill just take it that you don't care about the implications of this bug and will go full public disclosure..

That is not a threat that's how it works.

sounds like a threat to me.

Quote from gunn :

just do the right thing and don't release it publicly at all. What were you thinking? The mind boggles at why somebody would deliberately piss off thousands of people. My hero. :rolleyes:

Grow up ffs.

+100000000000

Quote from muhaa :

If i get no word back from any of you guys ill just take it that you don't care about the implications of this bug and will go full public disclosure..

Can I just reiterate that the only way to get the developers attention would be via https://www.lfs.net/?page=mailus. Right now Vic isn't really doing much with LFS due to various reasons, so if you've tried contacting him that wasn't the way to go and it would explain why you've not heard any answer.

Quote from muhaa :

That is not a threat that's how it works.

As interesting as the debate is between full, partial and no disclosure (genuinely, I enjoy debating the topic), I'm afraid to say that doing it here isn't the best course of action.

The community as a whole, including mods, doesn't really have any other method to contact the developers so I'm not sure that we can go any further than we already have with this thread.

Given the alarming direction that this thread is going I'm going to close it for now. I truly hope that you fully read my response, especially the top bit about Vic and contacting the developers. They can find your information here and in any other correspondence you've sent.

muhaa, if you want it reopened then give me a shout.

I have managed to forward the information to the developers to get the vulnerability fixed and nothing will be released till i get word back from the developers.

And for you guys who like to flame look at the advisory here and take it the
way you wish but i would like to think i helped the XBMC team out.

Have a read of the change set.

http://www.securityfocus.com/bid/34334/references

And Also on there forum
http://xbmc.org/forum/showthread.php?t=48038

So please think before you flame infuture.

SilverArrows77 i wont reply to you directly because i think you are just trolling the reason i asked for this post to be unlocked was because i wanted to point out im not as bad as you think.

My point is it was because of people like your self that the last exploits got released not the developers but because of people trolling.

I'm not after a thank you or any thing im just wanting the application i also payed for securing by the developers.I think since last year i grew up a lot and wont let people like your self put other lfs users at risk.

That is all and the reason i referenced the xbmc application is because i wanted to show that infact people like myself can help the developers of applications.

That is all im not on no ego trip i learn every thing i know my-self from programming to debugging to disassembly i don't need any one to up my ego at all.

I do agree that last year that things got a little heated and wrong decisions got made and i do accept responsibility for my actions i took and know they were wrong.But at the end of the day i was still learning my self how to approach developers with these kind of things.

I could have actually stoped a allot of people from getting there accounts stolen.Which would have been a real pain.For the victim and for the developers to put right.

You know with some developers you have to actually threaten them to get them to listen but you wouldn't know that.If you want to flame and make remarks like you have why not do it over pm.

I've spent over 50 to 80 hrs testing lfs2 alone for vulnerabilities and im still putting time into it to try and help get it secure for the final release.

If the community thinks it is better that i just disappear and not help with the lfs application then i will.Some one else can exploit these bugs and wreak other peoples fun.

Instead all im doing is trying to get the bugs fixed so every one is happy what saying that this bug has not been used by some one to take over the person pc.After all i was able to execute shell code on all windows from win xp sp3 to vista sp1 even with address randomization.

Why did you posted those random links in #21 muhaa?

Quote from muhaa :

I think since last year i grew up a lot

Doesn't look like it to me:

Quote from muhaa :

They have 1 week to at least make an effort to get in touch.They have up until the 10th of june to get in touch with me if nothing then i will go with full disclosure fair ?

You forget i put allot of time into testing bugs and developing exploits so you guys can have at least a half safe application to run on your computer.

If i get no word back from any of you guys ill just take it that you don't care about the implications of this bug and will go full public disclosure..

You forget i put allot of time into testing bugs and developing exploits so you guys can have at least a half safe application to run on your computer.

Quote :

If i get no word back from any of you guys ill just take it that you don't care about the implications of this bug and will go full public disclosure.

Have you ever tried to talk to vendors before.Do some of the vendors take the security implications of there program seriously.Unfortinuatly in todays society no they don't.

As I've stated my reason for the threat im not going to go into this but one thing i can say is that atleast they are listening to what i have to say now.

Unless you have had to deal with vendors you cant really comment on that at all.

Quote :

Why did you posted those random links in #21 muhaa?

That was to prove that some times vendors will actually work with people like myself rather than against me.

If you cant see that im trying to help in some way then don't post.The lfs forums is a place where people like to flame for no reason and then bump there post count.

But i will leave lfs2 application well alone from now on.I wont waste any more time on help with the fixing of bugs when people start getting there computers hacked and stuff don't come complaining to the developers.

It cost allot of money to get application tested especially in closed source applications i would like to think i was doing it for nothing for the good of us all but obviously not we will let the developers sift through there code infuture or pay for a company to look into these bugs.

I'm pleased that some of the moderators and people that pm understand where im atleast coming from.But i can say i did expect nothing else from people like you.

Quote :

Have you ever tried to talk to vendors before. Do some of the vendors take the security implications of there program seriously. Unfortunately in todays society no they don't.

i don't know what vendors you talk to... but at work, i talk all the time to the software vendors of various software products we use. in the healthcare biz, we take security very seriously.

from searching your previous posts, this isn't the first time you've taken a hissy fit and released exploit information... just pass the info to the devs via email, leave the forums out of it, and let them take care of any issues when they have time to fix them.