not sure if my last email got through to the list where i apologized for my dumbass email i sent earlier. was out of line and not very well thought out. that was me fucking up :-] apologies again. back to my hole. Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities | -----Original Message----- | From: Deus, Attonbitus [mailto:Thorat_private] | Sent: Tuesday, May 28, 2002 6:43 PM | To: Marc Maiffret; Drew; pen-testat_private | Subject: RE: Scanners and unpublished vulnerabilities - Full Disclosure | | | At 04:20 PM 5/28/2002, Marc Maiffret wrote: | >I couldn't agree more. I personally see it as a ploy touting | the fact that | >their purchasable product will now and then be able to look for some | >vulnerabilities that other products wont be able to. | | Hey Marc- hope all is well... | | I have to say that I'm confused... Are you speaking from the | perspective of | the pot or the kettle? Sorry, I had to ;) But before you get | all pissed | at me, let me say that the only reason I have considered buying *your* | product when I can get stuff like URLScan or the comparable | soon-to-be-available product from JD Glaser for *free* is for this very | reason you call a "ploy." For instance, the latest issues with IIS were, | at the time of your bulletin, protected by your SecureIIS product. It is | not a ploy, it is value added. | | >I think its irresponsible to try to pawn off a marketing scheme | as something | >that will help benefit the security community, or help the process of | >getting vulnerabilities fixed. | | Yet you include sample exploit code with your notifications, and you give | away "free" scanners to check for blank SA passwords. You are | knee-deep in | it, brudda! | | >Giving out details of any nature, before their is a patch, is | never the best | >route and should be used as a last resort, not a first. | > | >I also do not agree with the statements about people not being able to | >figure out exact details of the vulnerabilities based on the "VNA"'s. | | Don't equate yourself with "people." You may be able to, but not your | average Joe. And certainly not the people who have to use a tool | to see if | they have a blank SA pwd. But, with that said, let's take the text (from | memory) of the SQL VNA. Block TCP 1433 and UDP 1434, and make sure you | have proper firewall rules in place. What is the exploit? | | > Now sometimes that wont be enough information however when you go | >make a scanning tool that knows how to pinpoint the flaw its | only a matter | >of time to reverse engineer that tool to figure out how it | identifies the | >flaw and then drill that down further to pinpoint the vulnerability. | | I couldn't reverse engineer my toaster, so I would fall back on a simple | sniff. But yes, I would then get a leg up on the sploit. But so | what? People who paid for the product, or who had a fink, could | get their | hands on it. Credit for discovery is not an issue, so it would only be | those who would write an exploit. As you well know, if | Litchfield has the | bug, chances are other people have it too. If the vendor gets off their | arse, then it is better for me. | | | > I am not saying I agree with that, but for people like David who have | are good at | >finding vulnerabilities, it only makes sense to try to figure out how to | >make a living off of that talnet... wrong or right no opinion. | | "talnet?" I think your fingers have been trained ;) | | | >I do see it | >as being a big problem, and totally unethical, if you start to | manipulate | t>he situation into being one of a strong arm style tactic where | its "give me | >money, so you stay protected" | | You've gone too far here. NGSSoftware is not attacking people, or | threatening to if they don't "pay up." If anything, it is a | message to the | vendors not to sit on a critical security bug for 8 months while | they take | advantage of someone else's good graces. | | >.... equating it to store owners having to pay | >off local thugs so they don't go bashing their place up. Not that I am | >saying this is what is happening here. | | Then what are you saying? Why bring up an non-sequitur analogy? | | >Once again, I just think this is a | >really poor marketing ploy. But hey its working... were all | discussing it, | >as dumb as it all is. | | Let's put this in perspective. You supplied exploit code for the idq | vulnerability. All manner of folk blamed you (incorrectly) for Code Red | for the exact same reasons you are now saying are faulty with the | VNA. You | have a job because you are a bad-ass! Your company makes money | *strictly* | due to the fact that you perceive problems with other people's products, | and provide solutions from them. What do you think the customer | is paying | for? I don't only want protection from 0 day exploits, it is what I | *expect*!! I don't need protection from 6 month old bugs- I need | protection from the people like you and David that are not professional. | | And that is what I will get when I buy your products. If anyone | should get | behind this, I would think it would be you. | | Cheers, dude. See ya at Blackhat. | | Tim | | | | ------------------------------------------------------------------ | ---------- | This list is provided by the SecurityFocus Security Intelligence | Alert (SIA) | Service. For more information on SecurityFocus' SIA service which | automatically alerts you to the latest security vulnerabilities | please see: | https://alerts.securityfocus.com/ | | ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue May 28 2002 - 19:17:18 PDT