Forwarded from: Aj Effin Reznor <ajat_private> "InfoSec News was known to say....." > Forwarded from: Thomas C. Greene <tcgreeneat_private> > > i don't think it's at all hypocritical. as i've said repeatedly, > i'm in favor of full disclosure. but there's a difference between > disclosure and a media blitz. And you *do* represent the media, correct? The same media that feeds on the "digital pearl harbour", which never occurs. The y2k shams, which were little more than just that. The media. Yeah. We *believe* you. Baaaaaaaaaaa <--- sheep noises, be creative :) > to compare my highspeed junkie article with what eEye did with the > .ida hole, i would have had to: 1) post it on every security-oriented > mailing list i know; 2) send a press release to every tech journalist > in the business; and 3) mention my handy-dandy highspeed junkie code > cleaner, yours for only a couple of thousand bucks. the most > important issue here is the fact that i have no conflict of interest > when i link to an exploit. i'm not selling solutions to it. (1a) you may as well fault Security Focus then, for the moderators allowing Marc's posts to go through. (1b) you may as well also fault eEye for reverse engineering the bug, and posting it to lists hosted by Security Focus. After all, showing how one bug works only tells other malicious coders how and where their own script can compromise hosts. (1c) as per (1b), fault Security Focus for co-releasing eEye's reverse engineering. Ridiculous? Hell yes. But, this is what you are basically saying, had you followed through on your own thoughts. (2) If journalists didn't feed on press releases then they would have no value. Point (2) of yours would be moot if the journalists themselves were not part of the problem. (3) Other than SecureIIS, which as I have stated in a previous post, is the only package I know of that would have stopped an attack which had no known signature, you MUST be referring to eEye's CodeRedScanner. http://www.eeye.com/html/Research/Tools/codered.html Cuz, that's, uh, free. I don't see MS or *anyone* else putting out a *free* tool for testing a server's integrity. Your conflict of interest seems to be more of a moral splitting of hairs, than an alleged economic one. > as for the twinkies, i prefer not to name names. they're a > 'type'. they think company flacks are a legitimate news source. > (well they can be, so long as you're questioning them about their > competitors, lol). they're gullibile, and ambitious, and > well-groomed, and they don't expect people to lie to them. they > went to schools like my alma mater (Williams), but they imagined > their professors were all wonderful people, and cherish their > diplomas. they can read and digest difficult text, and re-cap it > on command; they've learned to follow complex instructions, meet > deadlines with pluck, and go about things in a 'professional' > manner -- that is, without reluctance, personal flair or (Heaven > forbid) independent moral reasoning. They lack imagination, > talent, and most of all, courage. And they make me sick. Imagination and "literary license" are not excuses for shoddy reporting, finger pointing, and utterly overlooking the large implications of the concepts supported by journos. Damn near every journo I've met, save about 5, would appear qualify as the twinkies you describe. -aj. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Aug 14 2001 - 07:53:13 PDT