Full Disclosure mailing list archives
RE: Security Industry Under Scrutiny: Part One
From: hellNbak <hellnbak () nmrc org>
Date: Thu, 7 Nov 2002 09:35:25 -0600 (CST)
I get flamed everytime I post to this list but here it goes anyways.
* security advisories are rarely based on original conceptsAgreed.
There has been a lot of "XYZ found a vuln simular to this blah blah blah" type advisories lately. But, a vuln is a vuln is a vuln is it not?
And sometimes enough information for me to repeat the test and check if I'm also vulnerable.
Agreed.
my clients' computers. They also help better
This isn't a shot at the author of this reply but his comment about the existance of tools help him help his clients helps illustrate something that lately has been making me sick enough to start rethinking things. The problem isn't full disclosure. The problem isn't the so called white-hats. The real problem is the armies of clueless "consultants" who use lists like this one, Bugtraq, VulnWatch, etc. to give themselves more fodder to swarm on corporate america with. Half of these people are not even taking the time to fully understand the issue. New vulnerabilities equals more money. More script kiddie web site defacements equals more money. When did learning about technology drop from this picture? Back in the day I remember using the mailing lists to learn about security and more importantly to learn about how vulnerabilities are found and how they effect various systems. I had a lot of fun and I learned a lot. Was I a consultant trying to sell security? No, I was an IT grunt just trying to have some fun while paying my bills. I have always supported full-disclosure because I feel I have learned a lot because of full disclosure and felt that others would too. Unfortunately, this doesn't seem to be the norm anymore. Today, I am part of that army of security consultants and as hard as it is to look at myself in the mirror I at least find comfort in knowing that I still learn a lot from these lists and I still try and take the time to understand the issues and not just take them and use them to try and sell work. Sure, I would rather not be yet another "security consultant" but until I find myself a more respectable job that lets me continue with my hobby it pays the bills.
And what to do when they ignore you ? The mechanics of "full disclosure" (or "posting to public foruns" as you put it) is that vendors will not correct software problems just because they exist, but they'll do it to protect theur image and reputation. Before "full disclosure" it wasn't strange to have a software company like Sun to take years to produce a fix for a security bug. I don't want to go back to that dark age.
I think this issue is black and white. Vendor ignores you release information on vulnerability. That does not however mean you release a point and click script.
That's what I'm doing, unfortunately positions like yours make my job and all of those in the security industry more difficult and more expensive, making sure that we'll have less, not more security.
Killing full disclosure will make security more expensive I agree. Without full disclosure we will see a bunch of companies selling their zero days to the highest bidder which in the long run will not improve security one bit. I am asking myself what is worse, the clueless using lists like this to get rich or companies at least paying those who can find vulnerabilities a fat salary to then resell the vulns to their clients. I don't think either improves security. I remember years ago people saying to be careful - "the security industry is full of snake oil salesmen". This has never been more true. It makes me puke everytime I see some suit wearing fast talking "expert" who can barely use a computer but is armed with all kinds of "tools" and the knowledge that the CXO knows less than he does. The scary thing is, consistantly these guys will win the work because they talk a good game. Leaving organizations less secure then they were when they started. Why doesn't someone sue a vendor? -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- "I don't intend to offend, I offend with my intent" hellNbak () nmrc org http://www.nmrc.org/~hellnbak -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Security Industry Under Scrutiny: Part One sockz loves you (Nov 07)
- Re: Security Industry Under Scrutiny: Part One Grant Bayley (Nov 07)
- <Possible follow-ups>
- RE: Security Industry Under Scrutiny: Part One John . Airey (Nov 07)
- RE: Security Industry Under Scrutiny: Part One sockz loves you (Nov 07)
- Re: Security Industry Under Scrutiny: Part One Georgi Guninski (Nov 07)
- Re: Security Industry Under Scrutiny: Part One Len Rose (Nov 07)
- Re: Security Industry Under Scrutiny: Part One Ron DuFresne (Nov 07)
- Re: Security Industry Under Scrutiny: Part One Georgi Guninski (Nov 07)
- RE: Security Industry Under Scrutiny: Part One João Miguel Neves (Nov 07)
- RE: Security Industry Under Scrutiny: Part One hellNbak (Nov 07)
- RE: Security Industry Under Scrutiny: Part One João Miguel Neves (Nov 07)
- RE: Security Industry Under Scrutiny: Part One ATD (Nov 14)
- Re: Security Industry Under Scrutiny: Part One White Vampire (Nov 10)
- Re: Security Industry Under Scrutiny: Part One noconflic (Nov 10)
- Re: Security Industry Under Scrutiny: Part One nonme (Nov 10)
- Re: Security Industry Under Scrutiny: Part One HggdH (Nov 10)
- Re: Security Industry Under Scrutiny: Part One Kevin Spett (Nov 11)