Alfred> Yep, that is what I suspected most people would take Alfred> umbrage with. In this case however I think NGSSoftware is Alfred> perfectly within their rights. Firstly I do think their Alfred> motives are above board. Having said this I see nothing Alfred> wrong with it even if their motives are purely >Doesn't appear that way to me. Their motives appear quite commercial I won't belabor my previous point about this being a non-issue. Their motives in this case are largely immaterial; it's the net effect that needs to be evaluated. >there is no reason why SecurityFocus, pen-test or bugtraq should >provide them with a platform to propagate their products and services. This topic was not brought here by them but by me. >They're have the freedom under law to hoard their vulnerability >database for the benefit fo their customers Well I'm glad you at least agree their customers are receiving a benefit from it. >and we have the >corresponding freedom to boycott them, ignore them or prevent them We? Are you referring to the royal we? Or are you referring to a body of consumers which you represent? >rom hijacking a public full-disclosure forum for their own ends. First off, this is not a full disclosure list for bug reporting. The VNA issues have never so far as I understand been posted to Bugtraq, the only dedicated full disclosure list we run here at SecurityFocus. Alfred> commercial. The Internet like anywhere is driven off Alfred> business concerns. If NGSSoftware can provide a valuable Alfred> service by alerting their customer base of flaws in Alfred> production software - power to them. This is after all Alfred> about paying the rent. I understand that a fair number of Alfred> folks in this industry are still waiting for the Great Alfred> Leap Forward to sweep us all into some digital utopia Alfred> where information wants to be free and where breaking into Alfred> someone's computer can be painted in a benevolent light Alfred> (you know - just trying to help). I am not buying. I'd >I missed the connection between free information and freedom to crack >here unless the latter is just a red herring to divert attention from >the former? You post indicates to me that you're bright enough not to need a basic dissection on this. If I'm wrong I'll be happy to be pedantic with you off list. Alfred> take advance notice from NGSSoftware over idealism. One Alfred> keeps me my job while the other makes for good coffee shop Alfred> banter but little else. >Since mailing lists embody the free information aspect of the >internet, in effect you're saying that PEN-TEST, VULN-DEV and BUGTRAQ Really? As dictated by whom? Might this be the royal we again? The lists you mention were founded around principles of open discussion. They were not built around some moral construct about maintaining 'free information' or liberty or anything so vaunted. Just open discussion. >are `coffee-shop banter' while your other concerns are what are of Hardly, my comments were (quite clearly) directed at not opting for a misplaced idealism over a pragmatic approach to a real problem. I suspect you are being argumentative here and not actually obtuse. >I find that quite disturbing, and if that If you find that disturbing life outside of work must be down right hellish. >really is the case I'd suggest that SecurityFocus hand over the mantle >of running this list to another individual or, if this is the >prevalent thinking in the company, another organization. Really? I'll be sure to take that into consideration. This actually was the part of your post that got my attention. I always get a bit put back when people like yourself make comments like this. When I founded SecurityFocus, before I brought a single person on board, I had a very clear conception of what I was to build. I've done that, the scary part is people like yourself assuming I (or the dreaded 'we' in this case) owe you something. We are still entirely within our stated goals as a company - I suggest you read them before assuming I've abrogated some sacred trust to you and should therefore hand over the last 4 years of my life to you as recompense. This company is about information - commercial and otherwise if that's not palatable to you then move on - we have nothing to offer you. Alfred> Yes and ISS is not alone there. It's been done by other Alfred> scanner vendors. SNI in particular did this a few Alfred> times. We also alerted our customers about vulnerabilities Alfred> we had in the pipes with vendors as a matter of course. >Precedents are not an argument for continuing a flawed policy. Nope, provided the premise is flawed which you've yet to actually address. Now before you reply, take a second and a deep breath and compose something like a rational argument based around points not emotional gut reactions and vague statements. -al VP Engineering SecurityFocus "Vae Victis" ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue May 28 2002 - 22:02:56 PDT