Where is the proof of concept code? (Without it, this is nothing more that idle speculation that has cost a lot of people a lot of time and effort.)

where is your patch to provide an alternate?

Two problems with that retort:

1. It would be hard to code a patch to handle an attack vector that -- to the best of my ability to discover; and despite requests for further information and a promise of "I would release a full-disclosure document in the middle to last week of march." -- it seems has never been publicly described, let alone demonstrated.

   Indeed -- whilst I'm still waiting to hear back from mitre (CVE DB maintainers) and a couple of other likely organisations -- I can find no trace that anyone other than demerphq has ever been made party to the details of the vulnerability.

2. Also, based upon the scant information I have been able to glean -- and a lot of unfortunately necessary supposition -- it seems likely that any one of several one-line patches might serve to totally mitigate the possibility of CVE-2013-1667.

   With the added upside that almost none of the pain caused by the implemented solution would have been necessary.

I'm preparing a paper -- which will probably come in 4 or 5 parts -- now. But it would surely be easier, and maybe even unnecessary, if disclosure were made.

---

With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'

Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.

"Science is about questioning the status quo. Questioning authority".

In the absence of evidence, opinion is indistinguishable from prejudice.

Wrong on every count. And posting anonymously proves it.