Symantec Buys SecurityFocus, among others....

[full-disclosure () lists netsys com (Chris Wysopal)]

On Fri, 19 Jul 2002 haiku () hushmail com wrote:

> Or better, thousands per advisory when a consultant for a certain
> company shows up to audit networks.  What's @stake's billable rate
> these days?

As a consulting company that publishes vulnerability information and tools,
we contribute to the pool that we drink out of.

> First and foremost, let me say this list is complete dogshit.  I'd like
> to go on the record with my opinion being that moderated mailing lists
> are a good thing.  It keeps all the fucking whining to a minimum.  You
> think I actually care that your information is being resold?  No!  I
> just want the information, delivery medium negotiable.  I could give a
> fat rats ass if you get credit, either.  That's one thing I can say for
> any vulnerability database; at least I don't have to listen to a bunch
> of punkasses and their incessant boohooing; instead, I get just the
> pertinent information.  At the end of the day, I don't give a fuck who
> you are, or how great you think you are; I care that my systems are
> secure, and that's the bottom line.

So would you use a non-profit database that was populated by the
vulnerability reporters themselves? That is what I am proposing.


> Second, I've been amazed at what big fucking morons the "esteemed
> hackers" in the community are.  Especially Chris and Jay.  Wow!  I
> thought you guys were really intelligent, and to some extent, had a
> moderate amount of respect for you two.  The only thing I've seen from
> any of you at this point is hidden agenda.  You guys are truely
> disgusting.  You guys set the bar for low.  Proof that nothing is ever
> what it seems.

For wanting a public vulnerability database?  This is what the security
community is currently missing in a public and open format. There are open
source NIDS, vuln scanners, and other security tools. There are public
security mailing lists. There is a public vuln dictionary, CVE.  But there
is no public vuln database.  Why is everything else good to have
non-commercial alternatives for except a vuln database?  The open source
tools could tie into it.

> supply for the sake of creating something for the common good.  The
> first person that comes to mind is Renaud Deraison.  Yeah, you guys are
> fucking brilliant, right?  Make the information copyrighted, so he
> can't continue to work on a FREE project continually exploited, and at
> least try to sell support so he can pay the fucking rent?  Jesus.

I certainly didn't mention restricting information.  A public vulnerability
database would require the information to be open so that it could be in
the database.

> And let's not even talk about Marty Roesch.  If there's another person
> that knows something about giving heart and soul to a project, and
> continually getting exploited, he's our man.  He runs a great project,
> and I'll bet not a single one of you whining bitches hasn't used it,
> and if you consult, haven't provided it as a "solution" that you
> charged some company billable hours for.  So now you want to take the
> information that he needs as well, and restrict him from it?  Looks to
> me like he's finally getting his company off the ground, and you guys
> want to fuck him now too?

@stake employees have contributed to the Snort project. I actually was
using Snort earlier today on a product pen test.  It's great.  Marty has
created something wonderful. A public vulnerability database would enhance
Snort not hurt it.  We don't really do implementation work but we have
recommended to some of our customers that they install Snort.

> seperate them.  I still nearly fall off my chair with laughter when I
> visualize Chris sucking up to MS, and trying to push the "responsible
> disclosure" agenda while moderating an allegedly "full disclosure"
> list, and posting to others.  You're a man of many faces, Chris, all of
> them in twos.  I'll not even pick on Jay; I really feel pity on him.

You can support the First Amendment and still limit what you personally say
and write.  I choose not to be vulgar in my list postings and I might even
advocate for others to not be vulgar but I would never want to ban that
langauge.  I think it is a benfit to security if people can patch their
boxes before exploits are written.  Nothing is a single bullet solution but
I think that certain disclosure practices can help make this happen.
Obviously a lot has to be done better on the vendor side.  So while
advocating for people to follow certain disclosure practices I still don't
think there should be a law restricting free speech.  Once someone has
chosen to publish information they are going to publish it.  It is better
for the community that VulnWatch approve these messages so that everyone
can get the information at the same time.

-Chris



> haiku
> -----BEGIN PGP SIGNATURE-----
> Version: Hush 2.1
> Note: This signature can be verified at https://www.hushtools.com
>
> wloEARECABoFAj04VL4THGhhaWt1QGh1c2htYWlsLmNvbQAKCRDCt+udg2XXBxmvAKCQ
> Jnp8MzKRvrMZQd6HqG4L+BrtjACfebxiRLkqjo6hCOzXri1xbmLoqdg=
> =ANWm
> -----END PGP SIGNATURE-----
>
>
> Communicate in total privacy.
> Get your free encrypted email at https://www.hushmail.com/?l=2
>
> Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Full-Disclosure () lists netsys com
> http://lists.netsys.com/mailman/listinfo/full-disclosure