>I couldn't agree more. I personally see it as a ploy touting the fact that >their purchasable product will now and then be able to look for some >vulnerabilities that other products wont be able to. And this is wrong how? If David can protect his customers on a pro-active basis and allow them assess their own risk I can't see how you find fault in it. >I think its irresponsible to try to pawn off a marketing scheme as something >that will help benefit the security community, or help the process of >getting vulnerabilities fixed. Ok, that's a bit much. There is not a vendor or security team in existence who is publishing security alerts for posterity alone. It's in most if not all cases a situation whereby companies or individuals are either marketing their product or talent. Start, stop, finish. People can paint up their motivations in any way they suspect they might be more palatable to the general public but let's not fool ourselves here our industry is not driven by benevolence. Further there is *nothing* wrong with this because regardless of your motivation the net result if handled properly helps everyone involved. >Giving out details of any nature, before their is a patch, is never the best >route and should be used as a last resort, not a first. If you read the VNA I think you'll see this is the case. >I also do not agree with the statements about people not being able to >figure out exact details of the vulnerabilities based on the "VNA"'s. I think your wrong here. By all means dig into his VNA and prove me wrong. >If you publish details saying XYZ product has a flaw, this is how you work >around it, and here is a product which can scan your network for it, then >people will FOR SURE be able to pinpoint the flaw and start widely >exploiting it while we all wait for a vendor patch. This is a strong statement with little or no evidence. Ballista, ISS and Cerberus have all had non-published vuln checks in them. Can you point out any instance where this turned into wholesale attacks from reverse engineering? >A researcher finds a flaw, why >should they not be able to give that information to paying customers (under >NDA) while the researcher waits for a vendor to fix the vulnerability? I am >not saying I agree with that, but for people like David who have are good at >finding vulnerabilities, it only makes sense to try to figure out how to >make a living off of that talnet... wrong or right no opinion. A salient point to remember here is that David and his team are hardly alone in their ability to discover vulnerabilities. Finding heap/buffer overflows, format string bugs, race conditions etc. is no longer an arcane science. It does not require strong programming skills (in the professional sense). Simply put it's fairly simple to do and therefore you should assume that it's being done en masse. The question is not whether David's company should be able to profit off of their research, that I think is a no brainer. The issue is should they follow their policy as stated in the VNA? The answer to this I think is also a no brainer. Yes. > I do see it >as being a big problem, and totally unethical, if you start to manipulate >the situation into being one of a strong arm style tactic where its "give me Hmm, I know people have attacked your credibility on issues like this in the past. Has your position changed or are you a touch gun shy now? >money, so you stay protected" .... equating it to store owners having to pay This is hardly extortion it's the principle on which the security industry is run. Buy a firewall or you're exposed to the unwashed masses, buy this scanner or your network will be littered with security vulnerabilities, buy our encryption or your data will be purloined and so on and so forth. People are buying our products to protect themselves there are no illusions about this. >off local thugs so they don't go bashing their place up. Loading up the conversation with this type of imagery boarders on ridiculous. The same folks who use language like this are the same myopic types who villified eEye over CodeRed. > Not that I am >saying this is what is happening here. Once again, I just think this is a >really poor marketing ploy. But hey its working... were all discussing it, >as dumb as it all is. David did not bring this issue up - I did. I do not own part of his company, use his product or even know him. The only people I have ever plugged in 4 years of running this list are CORE ST and they deserved it. Cheers, -al VP Engineering SecurityFocus "Vae Victis" ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue May 28 2002 - 17:59:22 PDT