Full Disclosure mailing list archives
Symantec Buys SecurityFocus, among others....
From: full-disclosure () lists netsys com (Chris Wysopal)
Date: Fri, 19 Jul 2002 20:38:21 +0000 (GMT)
On Fri, 19 Jul 2002 haiku () hushmail com wrote:
Or better, thousands per advisory when a consultant for a certain company shows up to audit networks. What's @stake's billable rate these days?
As a consulting company that publishes vulnerability information and tools, we contribute to the pool that we drink out of.
First and foremost, let me say this list is complete dogshit. I'd like to go on the record with my opinion being that moderated mailing lists are a good thing. It keeps all the fucking whining to a minimum. You think I actually care that your information is being resold? No! I just want the information, delivery medium negotiable. I could give a fat rats ass if you get credit, either. That's one thing I can say for any vulnerability database; at least I don't have to listen to a bunch of punkasses and their incessant boohooing; instead, I get just the pertinent information. At the end of the day, I don't give a fuck who you are, or how great you think you are; I care that my systems are secure, and that's the bottom line.
So would you use a non-profit database that was populated by the vulnerability reporters themselves? That is what I am proposing.
Second, I've been amazed at what big fucking morons the "esteemed hackers" in the community are. Especially Chris and Jay. Wow! I thought you guys were really intelligent, and to some extent, had a moderate amount of respect for you two. The only thing I've seen from any of you at this point is hidden agenda. You guys are truely disgusting. You guys set the bar for low. Proof that nothing is ever what it seems.
For wanting a public vulnerability database? This is what the security community is currently missing in a public and open format. There are open source NIDS, vuln scanners, and other security tools. There are public security mailing lists. There is a public vuln dictionary, CVE. But there is no public vuln database. Why is everything else good to have non-commercial alternatives for except a vuln database? The open source tools could tie into it.
supply for the sake of creating something for the common good. The first person that comes to mind is Renaud Deraison. Yeah, you guys are fucking brilliant, right? Make the information copyrighted, so he can't continue to work on a FREE project continually exploited, and at least try to sell support so he can pay the fucking rent? Jesus.
I certainly didn't mention restricting information. A public vulnerability database would require the information to be open so that it could be in the database.
And let's not even talk about Marty Roesch. If there's another person that knows something about giving heart and soul to a project, and continually getting exploited, he's our man. He runs a great project, and I'll bet not a single one of you whining bitches hasn't used it, and if you consult, haven't provided it as a "solution" that you charged some company billable hours for. So now you want to take the information that he needs as well, and restrict him from it? Looks to me like he's finally getting his company off the ground, and you guys want to fuck him now too?
@stake employees have contributed to the Snort project. I actually was using Snort earlier today on a product pen test. It's great. Marty has created something wonderful. A public vulnerability database would enhance Snort not hurt it. We don't really do implementation work but we have recommended to some of our customers that they install Snort.
seperate them. I still nearly fall off my chair with laughter when I visualize Chris sucking up to MS, and trying to push the "responsible disclosure" agenda while moderating an allegedly "full disclosure" list, and posting to others. You're a man of many faces, Chris, all of them in twos. I'll not even pick on Jay; I really feel pity on him.
You can support the First Amendment and still limit what you personally say and write. I choose not to be vulgar in my list postings and I might even advocate for others to not be vulgar but I would never want to ban that langauge. I think it is a benfit to security if people can patch their boxes before exploits are written. Nothing is a single bullet solution but I think that certain disclosure practices can help make this happen. Obviously a lot has to be done better on the vendor side. So while advocating for people to follow certain disclosure practices I still don't think there should be a law restricting free speech. Once someone has chosen to publish information they are going to publish it. It is better for the community that VulnWatch approve these messages so that everyone can get the information at the same time. -Chris
haiku -----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wloEARECABoFAj04VL4THGhhaWt1QGh1c2htYWlsLmNvbQAKCRDCt+udg2XXBxmvAKCQ Jnp8MzKRvrMZQd6HqG4L+BrtjACfebxiRLkqjo6hCOzXri1xbmLoqdg= =ANWm -----END PGP SIGNATURE----- Communicate in total privacy. Get your free encrypted email at https://www.hushmail.com/?l=2 Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople _______________________________________________ Full-Disclosure - We believe in it. Full-Disclosure () lists netsys com http://lists.netsys.com/mailman/listinfo/full-disclosure
Current thread:
- Symantec Buys SecurityFocus, among others...., (continued)
- Symantec Buys SecurityFocus, among others.... martin f krafft (Jul 23)
- Symantec Buys SecurityFocus, among others.... Blue Boar (Jul 18)
- Symantec Buys SecurityFocus, among others.... Eric Nelson (Jul 18)
- Symantec Buys SecurityFocus, among others.... Blue Boar (Jul 18)
- Symantec Buys SecurityFocus, among others. Nick FitzGerald (Jul 18)
- Symantec Buys SecurityFocus, among others. Steve (Jul 18)
- Symantec Buys SecurityFocus, among others. Brian Hatch (Jul 18)
- Symantec Buys SecurityFocus, among others. Nick FitzGerald (Jul 18)
- Symantec Buys SecurityFocus, among others.... Chris Wysopal (Jul 19)
- Symantec Buys SecurityFocus, among others.... full-disclosure () lists netsys com (Jul 19)
- Symantec Buys SecurityFocus, among others.... hellNbak (Jul 19)
- Symantec Buys SecurityFocus, among others.... Chris Wysopal (Jul 19)
- Symantec Buys SecurityFocus, among others.... Christopher Meiklejohn (Jul 19)
- Symantec Buys SecurityFocus, among others.... full-disclosure () lists netsys com (Jul 19)
- Symantec Buys SecurityFocus, among others.... Nexus (Jul 20)
- 99% Peter van den Heuvel (Jul 20)
- Symantec Buys SecurityFocus, among others.... Chris Wysopal (Jul 20)
- Symantec Buys SecurityFocus, among others.... Nexus (Jul 20)
- Symantec Buys SecurityFocus, among others.... Bela Lubkin (Jul 20)
- Message not available
- Symantec Buys SecurityFocus, among others.... martin f krafft (Jul 20)
- Message not available
- Symantec Buys SecurityFocus, among others.... Jack (Jul 20)
- Symantec Buys SecurityFocus, among others.... Jack (Jul 20)
- Symantec Buys SecurityFocus, among others.... Jack (Jul 20)