-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Your points are excellent - thanks. I was one of the individuals that responded to the original question. My post was denied, though it used no foul language, and violated the list charter in no way. Its good to see that my reaction to this moderator's sudden bout of nerves was not singular. I wonder of it has something to do with the fact that CORE is a major advertiser on the security focus site, and my review was less than glowing? For those who are interested, here is the text of my original response to Mr. Wolf's request for information about the real-world perofrmance of the CORE Impact tool: <quote> We're testing the app in-house right now. I'd have to give it a 5 out of 10. There is some potential here - the interface is nice, and it is appealing to have an outside shop researching/developing new exploits. The existing exploits are fairly well documented. Info is included as to what service the exploits attacks, and how. The tool lends itself nicely to a structured methodology, so that repeated evaluations and evaluations of large numbers of hosts are sure to be apples:apples comparisons from one test to the next. Also, the CORE team has been very willing to help, and very accommodating. However, there are some issues. You can't evaluate a host until you have run network discovery and found it, and network discovery is limited to ping sweeps, arp, tcp scans, and sniffing. There is no way to evaluate a host that does not get picked up by one of these tools. Exploits are a bit limited, and mostly cater to testing IIS. We have a great deal of HP-UX & Solaris on our network, so this is not a very good match at present. Also, The rate at which new exploits are delivered currently leaves something to be desired. We've been testing the Impact for a month now, and I haven't seen any new exploits appear in the list. Also, the list of exploits seems to be entirely webserver oriented. There are simply no exploit for routers or firewalls or any other component of a common network. There are also some bugs in the software - it doesn't seem be consistently able to recognize the NIC - One time you start the app, and all is well. The next time you start, you may get a "network interface not found" warning. Sometimes this can be corrected just by telling the app which card to use, but on some installations the list of NICs within the app is blank, even though other apps can see and use it. In this particular case, the NIC is not something highly irregular - just an old Intel PCI NIC. Fingerprinting is also somewhat lacking. I just downloaded an update today, but Impact still cannot ID half the windows boxes on my test network. Finally, there is the fact that we have yet to compromise a single host using this tool. My next step is to tailor-make a vulnerable box for one of the provided exploits, and see if Impact can penetrate it. I'll keep you posted, if you like. </quote> Regards, cMax On Mon, 07 Jul 2003 12:51:42 -0700 Gwendolynn ferch Elydyr <gwenat_private> wrote: > >I've CC'd this email to full-disclosure, so that those folks that >aren't >on pen-test are aware of the policy change to posting requirements >on >that list - and potentially to more of the securityfocus lists. >It's >interesting to note that the only list that appears to have an exemption >from this type of policy or arbitrary action is bugtraq. > >On Mon, 7 Jul 2003, Alfred Huger wrote: >> Recently someone posted a question regarding a product (CORE Impact) >to >> the list. These types of posts always make me leery because this >industry, >> being what it is, rarely has anything nice to say about anything. >Being a >> product vendor myself I am particularly aware of how ugly people >can be. >> Often, if not always, when these come out the competitors to the >product >> generate email addresses elsewhere and have their way. Or the >vendor >> itself does the same thing and pumps their product. > >When I first read this posting, I went and checked the headers, >to see >if it was a forgery. The style seemed rather unlike AH, and the >content >was (at best) distressing. To my chagrin, this actually appears >to be >valid email. > >> The list has 13,000 + people on it. Many of them decision makers >so I need >> to be fairly careful about this. So here are the ground rules >moving >> forward: >> >> 1. If you want to post about a product positive or negative you >> cannot do so from a Huhsmail or other such account. >> >> 2. If you plan to post use your real name or do not post. >> >> 3. Be polite period. >> >> 4. Do not use this as a forum to take shots at your competitor >or I >> will see you and your company banned from every list we have here >(except >> Bugtraq). > >I have to ask. > >Why? > >Did the Symantec lawyers have a sudden bout of panic about potential >defamation lawsuits? Are there so many posts to the list that contain >problematic content? > >This isn't full-disclosure, the last time I checked. To the best >of >my knowledge, pen-test is a moderated list. Surely the moderator >is >capable of noting the difference between "Your product sukz0rs" >and >"The product proved unable to stand up to traffic above 100Mhz" >- and >of passing the appropriate posting through, whether it has "John >Doe" >or "thunderfallingdown" attached to it as a moniker. > >Beyond that, threats seem inappropriate. "...I will see you and >your >company banned from every list we have..." Has Symantec stooped >to this >level, or is this personal opinion. > >I lament the former list - and the free flow of useful information. > >cheers! >========================================================================== >"A cat spends her life conflicted between a deep, passionate and >profound >desire for fish and an equally deep, passionate and profound desire >to >avoid getting wet. This is the defining metaphor of my life right >now." > > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.netsys.com/full-disclosure-charter.html > > -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.3 wkYEARECAAYFAj8KI7MACgkQ6muvpb42jIC4YACgmVN5BwetaWlWXW2bh5fLB1yxZc0A oLPXGP8CNQvi3Et9yNeMUbiRyVXg =DNhd -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Mon Jul 07 2003 - 21:30:58 PDT