Dailydave mailing list archives
Re: Fwd: [ISN] Security experts hit out at "unethical" bug finder
From: robert () dyadsecurity com
Date: Mon, 14 Mar 2005 11:12:52 -0800
Anthony Zboralski(bcs2005 () bellua com)@Mon, Mar 14, 2005 at 11:13:11PM +0700:
"What are these people missing here?" asked Copley. "Are they crazy? What prevents any organised criminal group or criminal from getting on there and signing a NDA?"
It takes great arrogance or ignorance to suppose that the security research group selling the vulnerability information is the only entity to have the information. If the software that has the vulnerability is publicly available, no one entity controls the vulnerability information. I hope we see the Immunitysec position become the norm. It will help people realize that there are people out there who have information about problems that are not sharing them with the public at large. This has been happening for years already, but people feel safe because their [nessus, foundscan, retina, etc] told them they were mostly green.
Copley said even "total disclosure", whereby everybody . vendors, researchers and the general public alike - is given the information at the same time would be preferable.
At least he's not completely crazy... but I'd bet money that if someone released 30+ vulnerabilities on the same day with full details, Copley would change his tune about that too.
"The business model deliberately creates a culture of the security haves, and the security have-nots. It does not improve security overall," he added.
This is a really funny accusation. While I agree with him, I don't think the patch management upgrade game does anything to improve security either. We can't even agree on the problem ... no wonder the solutions are controversal.
Perry also questioned whether Aitel's customers are getting value for money. Because vendors are kept out of the loop, flaws go un-patched while Immunity's customers are given a workaround.
The beautiful thing about a free market is that Aitel's customers are the ones who get to decide if they are getting value for their money. If they don't feel they are, I doubt they would resubscribe.
"You're given a workaround by Immunity, but you don't have a fix . a patch from the vendor that permanently addresses the problem. The door is closed, but it's not locked shut."
Until the next day when we find the next problem. Software modules have bugs. DAC can not provide assurance. In the mean time, let's make money where we can. I find ImmunitySec's business model no less ethical than the Antivirus market. At least Dave's VSC is fit for the purpose he's marketing it for :). Robert -- Robert E. Lee CEO, Dyad Security, Inc. W - http://www.dyadsecurity.com E - robert () dyadsecurity com M - (949) 394-2033 _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Fwd: [ISN] Security experts hit out at "unethical" bug finder Anthony Zboralski (Mar 14)
- Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder halvar (Mar 14)
- Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder Chris Wysopal (Mar 14)
- Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder H D Moore (Mar 14)
- Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder Chris Wysopal (Mar 14)
- Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder Isaac Dawson (Mar 14)
- Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder Chris Wysopal (Mar 14)
- Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder halvar (Mar 14)
- Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder halvar (Mar 14)
- Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder Jan Muenther (Mar 14)
- Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder Gadi Evron (Mar 14)
- Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder Gadi Evron (Mar 14)