At 04:20 PM 5/28/2002, Marc Maiffret wrote: >I couldn't agree more. I personally see it as a ploy touting the fact that >their purchasable product will now and then be able to look for some >vulnerabilities that other products wont be able to. Hey Marc- hope all is well... I have to say that I'm confused... Are you speaking from the perspective of the pot or the kettle? Sorry, I had to ;) But before you get all pissed at me, let me say that the only reason I have considered buying *your* product when I can get stuff like URLScan or the comparable soon-to-be-available product from JD Glaser for *free* is for this very reason you call a "ploy." For instance, the latest issues with IIS were, at the time of your bulletin, protected by your SecureIIS product. It is not a ploy, it is value added. >I think its irresponsible to try to pawn off a marketing scheme as something >that will help benefit the security community, or help the process of >getting vulnerabilities fixed. Yet you include sample exploit code with your notifications, and you give away "free" scanners to check for blank SA passwords. You are knee-deep in it, brudda! >Giving out details of any nature, before their is a patch, is never the best >route and should be used as a last resort, not a first. > >I also do not agree with the statements about people not being able to >figure out exact details of the vulnerabilities based on the "VNA"'s. Don't equate yourself with "people." You may be able to, but not your average Joe. And certainly not the people who have to use a tool to see if they have a blank SA pwd. But, with that said, let's take the text (from memory) of the SQL VNA. Block TCP 1433 and UDP 1434, and make sure you have proper firewall rules in place. What is the exploit? > Now sometimes that wont be enough information however when you go >make a scanning tool that knows how to pinpoint the flaw its only a matter >of time to reverse engineer that tool to figure out how it identifies the >flaw and then drill that down further to pinpoint the vulnerability. I couldn't reverse engineer my toaster, so I would fall back on a simple sniff. But yes, I would then get a leg up on the sploit. But so what? People who paid for the product, or who had a fink, could get their hands on it. Credit for discovery is not an issue, so it would only be those who would write an exploit. As you well know, if Litchfield has the bug, chances are other people have it too. If the vendor gets off their arse, then it is better for me. > I am not saying I agree with that, but for people like David who have are good at >finding vulnerabilities, it only makes sense to try to figure out how to >make a living off of that talnet... wrong or right no opinion. "talnet?" I think your fingers have been trained ;) >I do see it >as being a big problem, and totally unethical, if you start to manipulate t>he situation into being one of a strong arm style tactic where its "give me >money, so you stay protected" You've gone too far here. NGSSoftware is not attacking people, or threatening to if they don't "pay up." If anything, it is a message to the vendors not to sit on a critical security bug for 8 months while they take advantage of someone else's good graces. >.... equating it to store owners having to pay >off local thugs so they don't go bashing their place up. Not that I am >saying this is what is happening here. Then what are you saying? Why bring up an non-sequitur analogy? >Once again, I just think this is a >really poor marketing ploy. But hey its working... were all discussing it, >as dumb as it all is. Let's put this in perspective. You supplied exploit code for the idq vulnerability. All manner of folk blamed you (incorrectly) for Code Red for the exact same reasons you are now saying are faulty with the VNA. You have a job because you are a bad-ass! Your company makes money *strictly* due to the fact that you perceive problems with other people's products, and provide solutions from them. What do you think the customer is paying for? I don't only want protection from 0 day exploits, it is what I *expect*!! I don't need protection from 6 month old bugs- I need protection from the people like you and David that are not professional. And that is what I will get when I buy your products. If anyone should get behind this, I would think it would be you. Cheers, dude. See ya at Blackhat. Tim ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue May 28 2002 - 18:45:15 PDT