RE: 0-day exploit..do i hear $1000?

From: Steve (steveat_private)
Date: Thu Oct 18 2001 - 13:24:55 PDT

Next message: terry white: "Re: Time-to-patch vs Disclosure method"

Previous message: Jay D. Dyson: "Re: Time-to-patch vs Disclosure method"
In reply to: RT: "Re: 0-day exploit..do i hear $1000?"
Next in thread: leon: "RE: 0-day exploit..do i hear $1000? (a net admins 2 cents)"
Next in thread: RT: "Re: 0-day exploit..do i hear $1000?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> I stand corrected. Read in an e-zine that you are a "security 
> consultant". Assumed it was your own company.

I had a teacher back in high school who used to say "Never assume, you
make an ASS out of U and ME".  Still, I don't see your point, so what if
RFP had his own consulting company?  Are you saying that if he has his
own vacuum cleaner company we would see all kinds of zero day vacuum
exploits?  That's a pile of crap, *most* of the researchers I have come
into contact with in my career do their research primarily because it is
interesting to them *not* to simply start up a consulting firm and make
some money.  

Yes, some of us are forced to do things like pay bills and support
families, consulting is one of those ways but consulting should not be
the reason behind the research.  If it was, most would be like a certain
start up that releases vague white papers and only gives full details to
their paying customers.  
 
> So do we. We just also want to make a living doing it. We 
> don't rape the industry - we contribute where we can.


There is nothing wrong with making a living.  But there is something
wrong with doing research just to promote your business. In my opinion
anyways.

 
> RFP, the way I see this business is like this. You do your 
> job, try to do it better that the dude next door, build 
> cutting edge technology, release it to the public (as its 
> stupid to think that no-one else will get it anyhow) and use 
> it to get your company name out there, while you contributing 
> to the industry as a whole. Does that mean selling out? I hope not.

It doesn't mean selling out, but its organizations who care more about
the press they will get vs. the good they can do who cause Microsoft to
write articles like the "Information Anarchy".  Your research should not
be to simply get your company name out there, it should be to better arm
the IT community and help them protect themselves.  

There is nothing wrong with making sure your company name is on an
advisory, but there is something very wrong in doing the research just
to prove how smart your employees are.

Next message: terry white: "Re: Time-to-patch vs Disclosure method"
Previous message: Jay D. Dyson: "Re: Time-to-patch vs Disclosure method"
In reply to: RT: "Re: 0-day exploit..do i hear $1000?"
Next in thread: leon: "RE: 0-day exploit..do i hear $1000? (a net admins 2 cents)"
Next in thread: RT: "Re: 0-day exploit..do i hear $1000?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Oct 18 2001 - 13:35:10 PDT