On Tue, 28 May 2002, Ryan Russell wrote: > On Tue, 28 May 2002, Alfred Huger wrote: > I would suspect this wouldn't have much of an impact on the pen-testing > community, but I'll leave it to the professional pen-testers to answer how > often the very latest vulnerabilities come into play in their work. Being able to show a potential or current customer that they have vulnerabilities in a production environment comes at a premium in particular if this client cannot get this information elsewhere. The folks at NGSSoftware feel that if they are aware of a vulnerability there is more than a passing chance that someone else (likely with less than sterling motives) is also aware of this. I concur 100% based on personal experiance. Through SecurityFocus, SNI and NAI I've been involved in reporting dozens of security bugs to vendors. The amount of times my report came in alongside others who had discovered the same isssue was fairly high. In a recent example which comes to mind a vulnerability SecurityFocus was working on for CORE ST to report to a series of vendors was discovered by about 5 other parties at almost exactly the same time. Each of the parties was unrelated and their motives were pure (all things being relative I suppose). What do you think the odds are that someone in the blackhat community was also sitting on the bug? I would guess pretty high. Vulnerability research does not now nor has it ever taken place in a vacuum. > What it boils down to is the rest of us will have the information, just a > little later. I suppose part of the controversy is that NGSSoftware is > presumably going to benefit from holding back information, i.e. if you > want to check for the vulns they found, you have to buy their product. Yep, that is what I suspected most people would take umbrage with. In this case however I think NGSSoftware is perfectly within their rights. Firstly I do think their motives are above board. Having said this I see nothing wrong with it even if their motives are purely commercial. The Internet like anywhere is driven off business concerns. If NGSSoftware can provide a valuable service by alerting their customer base of flaws in production software - power to them. This is after all about paying the rent. I understand that a fair number of folks in this industry are still waiting for the Great Leap Forward to sweep us all into some digital eutopia where information wants to be free and where breaking into someones computer can be painted in a benevolent light (you know - just trying to help). I am not buying. I'd take advance notice from NGSSoftware over idealism. One keeps me my job while the other makes for good coffee shop banter but little else. > This isn't new, either. A few years ago at a previous employer, I was a > licensed user of ISS' Internet Scanner. They had a check for a statd bug > (which came to my attention because it was getting positive matches) that > I could find no public documentation on. I.e. I was doing an internal > penetration test, and having a potential hole, I wanted to go ahead and > exploit it fully. Yes and ISS is not alone there. It's been done by other scanner vendors. SNI in particular did this a few times. We also alerted our customers about vulnerabilties we had in the pipes with vendors as a matter of course. > can't, in which case, they would just have to do so anonymously. Second, > people really can reverse-engineer the problem by diffing patches, source > or object. So, anyone who wants the hole can still have it, they just > have to spend more time and/or money. Take a look at the recent set of IE > holes Microsoft fixed. Several of them were discovered by MS themselves, > and I know for a fact that some people outside of MS now know how the > holes work. Yep good points. > So, I don't see how their policy really changes anything. We'll all still > have access to the holes, good guys and bad. Once there is a hint that > there's a problem somewhere, it will be ferreted out. Yes and that is IMO a good thing. Vendors by and large need encouragement to address security bugs in their software. Regardless of what is said to the public the base reality is that without prompting they are likely to not prioritize this. Full Disclosure while being horribly flawed and often as harmful as it is helpful came about for a reason. -al I should cap this out by saying that my above opinions are my own. > > Ryan > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus Security Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ > > > VP Engineering SecurityFocus "Vae Victis" ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue May 28 2002 - 16:38:30 PDT