>>>>> "Alfred" == Alfred Huger <ahat_private> writes: Alfred> [snip] >> What it boils down to is the rest of us will have the >> information, just a little later. I suppose part of the >> controversy is that NGSSoftware is presumably going to benefit >> from holding back information, i.e. if you want to check for >> the vulns they found, you have to buy their product. Alfred> Yep, that is what I suspected most people would take Alfred> umbrage with. In this case however I think NGSSoftware is Alfred> perfectly within their rights. Firstly I do think their Alfred> motives are above board. Having said this I see nothing Alfred> wrong with it even if their motives are purely Doesn't appear that way to me. Their motives appear quite commercial (I won't repeat the arguments made by other list members here) and there is no reason why SecurityFocus, pen-test or bugtraq should provide them with a platform to propagate their products and services. They're have the freedom under law to hoard their vulnerability database for the benefit fo their customers, and we have the corresponding freedom to boycott them, ignore them or prevent them from hijacking a public full-disclosure forum for their own ends. Alfred> commercial. The Internet like anywhere is driven off Alfred> business concerns. If NGSSoftware can provide a valuable Alfred> service by alerting their customer base of flaws in Alfred> production software - power to them. This is after all Alfred> about paying the rent. I understand that a fair number of Alfred> folks in this industry are still waiting for the Great Alfred> Leap Forward to sweep us all into some digital eutopia Alfred> where information wants to be free and where breaking into Alfred> someones computer can be painted in a benevolent light Alfred> (you know - just trying to help). I am not buying. I'd I missed the connection between free information and freedom to crack here unless the latter is just a red herring to divert attention from the former? Alfred> take advance notice from NGSSoftware over idealism. One Alfred> keeps me my job while the other makes for good coffee shop Alfred> banter but little else. Since mailing lists embody the free information aspect of the Internet, in effect you're saying that PEN-TEST, VULN-DEV and BUGTRAQ are `coffee-shop banter' while your other concerns are what are of primary importance to you. I find that quite disturbing, and if that really is the case I'd suggest that SecurityFocus hand over the mantle of running this list to another individual or, if this is the prevalent thinking in the company, another organisation. >> This isn't new, either. A few years ago at a previous >> employer, I was a licensed user of ISS' Internet Scanner. They >> had a check for a statd bug (which came to my attention because >> it was getting positive matches) that I could find no public >> documentation on. I.e. I was doing an internal penetration >> test, and having a potential hole, I wanted to go ahead and >> exploit it fully. Alfred> Yes and ISS is not alone there. It's been done by other Alfred> scanner vendors. SNI in particular did this a few Alfred> times. We also alerted our customers about vulnerabilties Alfred> we had in the pipes with vendors as a matter of course. Precedents are not an argument for continuing a flawed policy. Alfred> [snip] Alfred> I should cap this out by saying that my above opinions are Alfred> my own. Regards, -- Raju -- Raju Mathur rajuat_private http://kandalaya.org/ It is the mind that moves ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue May 28 2002 - 21:32:21 PDT