Full Disclosure mailing list archives
RE: Re: Re: <to various comments>EEYE: Microsoft ASN.1 ...
From: Kenton Smith <ksmith () chartwelltechnology com>
Date: Thu, 12 Feb 2004 12:54:48 -0700
Mr. Copley, I'm not an Eeye customer nor do I necessarily share the views of the original poster. However, if I were you I'd quit while you're ahead. This sort of tone from a representative of the company doesn't reflect well on the company in general. Whether the poster is knowledgeable or not, a professional or not, a troller or not, insults from a company representative, in my view, will bias my opinion towards that company as a whole. If I purchase an Eeye product and ask what the representative thinks is a stupid question, will I get a constructive answer to help me or will I get laughed off the phone? I don't know, and now I wonder. There are enough people who respond with insults on this list, it'd be nice if we didn't see it from corporate representatives as well. Kenton On Thu, 2004-02-12 at 12:17, Drew Copley wrote:
-----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Paul Tinsley Sent: Wednesday, February 11, 2004 10:57 PM To: Drew Copley Cc: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Re: Re: <to various comments>EEYE: Microsoft ASN.1 ... Drew Copley wrote:Without replying to each troll, individually, I thought maybe some people would like to see some answers to some notes.Most of these are from me, so I will personally respond to those that apply. And believe it or not, this is not a troll, I really wanted to see people's viewpoints on this subject.Somehow, I find this hard to believe.These are my own comments, I speak for myself. Question: "Why release all of the details"This statement is not an accurate paraphrase, I didn't say why release them all. I said why release them all on day 0 of the patch release.Answer: Polls show this is what administrators what. This isone reasonwe do this. Another reason we do this is simple, we use the details ourselves. We use the details to create signatures for our vulnerability assessment tool and firewall. Security administrators then download these signatures and use them to check forpatches or toprotect systems which can not yet be patched.Administrators don't need this crap to fix their boxes, they simply need the exploit vectors, the possible mitigation steps, and the potential severity of the vulnerability.<snip> I have gone over this a few times with some others. I believe I already said it here. You seem to be unable to either hear it or believe it. In no particuliar order: One, the polls show that more want it then not. Two, we sell products which secure their boxes. We have a lot of customers. Our competitors do the same thing. Altogether, we are the industry. We have to know what the security hole was, so do our competitors. Then, we can protect against this. So can they. Three, we don't give out exploit code. You can't make an exploit from our advisory. I don't know you, I don't know who you are. But, frankly, not that many people can even write exploit code. With these bugs, you would have to be able to not only write the exploit code but also understand the cryptographic references and their implementations in the Window's OS. It isn't all that hard. But, it turns out, that the guys who can write exploit code also can reverse engineer patches... They can also understand our advisories, but they can also find their own bugs. Okay? Real world. But, I don't think you understand that. Why should I go on. It isn't rocket science. But, you are saying, "I know, I know". And, you do not know. That is when people can neither learn nor understand. Now, as a brief disclaimer... Security, being able to do these things is not something that requires someone to have a tumor in their brain that makes their IQ magically go up a thousand points. It requires only desire. This means a predisposition. You have to be willing and wanting to sit there and work through these things. So, you really have no excuse not to understand these things. You are a Monday morning quarterback. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Re: <to various comments>EEYE: Microsoft ASN.1 ... Drew Copley (Feb 11)
- Re: Re: Re: <to various comments>EEYE: Microsoft ASN.1 ... Paul Tinsley (Feb 12)
- Re: Re: Re: <to various comments>EEYE: Microsoft ASN.1 ... Gregory A. Gilliss (Feb 12)
- Re: <to various comments>EEYE: Microsoft ASN.1 ... Ake Nordin (Feb 13)
- Re: Re: Re: <to various comments>EEYE: Microsoft ASN.1 ... Jason Stout (Feb 12)
- [Full-Disclosure] RE: [kinda-but-not-really-Full-disclosure-so-we-feel-warm-and-fuzzy] Re: <to various comments>EEYE: Microsoft ASN.1 ... Brett Moore (Feb 12)
- Re: Re: Re: <to various comments>EEYE: Microsoft ASN.1 ... Gregory A. Gilliss (Feb 12)
- <Possible follow-ups>
- RE: Re: Re: <to various comments>EEYE: Microsoft ASN.1 ... Drew Copley (Feb 12)
- Re: Re: Re: <to various comments>EEYE: Microsoft ASN.1 ... Brian Eckman (Feb 12)
- RE: Re: Re: <to various comments>EEYE: Microsoft ASN.1 ... Kenton Smith (Feb 12)
- RE: Re: Re: <to various comments>EEYE: Microsoft ASN.1 ... Drew Copley (Feb 12)
- Re: Re: Re: <to various comments>EEYE: Microsoft ASN.1 ... Paul Tinsley (Feb 12)