I couldn't agree more. I personally see it as a ploy touting the fact that their purchasable product will now and then be able to look for some vulnerabilities that other products wont be able to. I think its irresponsible to try to pawn off a marketing scheme as something that will help benefit the security community, or help the process of getting vulnerabilities fixed. Giving out details of any nature, before their is a patch, is never the best route and should be used as a last resort, not a first. I also do not agree with the statements about people not being able to figure out exact details of the vulnerabilities based on the "VNA"'s. If you publish details saying XYZ product has a flaw, this is how you work around it, and here is a product which can scan your network for it, then people will FOR SURE be able to pinpoint the flaw and start widely exploiting it while we all wait for a vendor patch. How? Most of the time it only takes the information on how to work around a vulnerability, to figure out what the vulnerability is or at the very very least where to start looking. Now sometimes that wont be enough information however when you go make a scanning tool that knows how to pinpoint the flaw its only a matter of time to reverse engineer that tool to figure out how it identifies the flaw and then drill that down further to pinpoint the vulnerability. With all of that being said there is the debate on whether or not making money off of vulnerabilities is a bad thing? A researcher finds a flaw, why should they not be able to give that information to paying customers (under NDA) while the researcher waits for a vendor to fix the vulnerability? I am not saying I agree with that, but for people like David who have are good at finding vulnerabilities, it only makes sense to try to figure out how to make a living off of that talnet... wrong or right no opinion. I do see it as being a big problem, and totally unethical, if you start to manipulate the situation into being one of a strong arm style tactic where its "give me money, so you stay protected" .... equating it to store owners having to pay off local thugs so they don't go bashing their place up. Not that I am saying this is what is happening here. Once again, I just think this is a really poor marketing ploy. But hey its working... were all discussing it, as dumb as it all is. Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities | -----Original Message----- | From: Drew [mailto:simonisat_private] | Sent: Tuesday, May 28, 2002 12:42 PM | To: pen-testat_private | Subject: Re: Scanners and unpublished vulnerabilities - Full Disclosure | | | Alfred Huger wrote: | > | > Heya all, | > | > Most of you who are long time users of this list know I tend to avoid | > conversations on-list about full-disclosure. I'm of the opinion it's a | > religious discussion with little or no merit for debate given | that people | > are unlikely to move from their current position. | > | > Having said this every now and then something does occur within our | > industry to spur discussion. In this case I came across something which | > directly impacts the Pen-Testing arena and I would like to throw it out | > for open discussion. The event in question is a new Vendor Notification | > Alert Scheme the folks over at NGSSoftware announced yesterday. The | > announcement can (and should be) read at: | > | > http://www.nextgenss.com/news/vna.html | > | | | Seems to me like a thinly vieled marketing announcment. Worked, too. | | I don't notice anything _too_ radically seperated from well known | vulnerability disclosure methods, with the singular exception that | they do not make accomodations for a responsive vendor who has not | yet released a patch, which is on contrast to the RFPolicy, a well | known disclosure roadmap, and the referenced Christey-Wysopal policy. | | I read it as "Buy our scanner and you'll have access to vulnerabilities | others don't yet have". | | | -Ds | | ------------------------------------------------------------------ | ---------- | This list is provided by the SecurityFocus Security Intelligence | Alert (SIA) | Service. For more information on SecurityFocus' SIA service which | automatically alerts you to the latest security vulnerabilities | please see: | https://alerts.securityfocus.com/ | | ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue May 28 2002 - 16:27:19 PDT