Full Disclosure mailing list archives
Re: iDefense: Solution or Problem?
From: VX Dude <vxdude2003 () yahoo com>
Date: Wed, 14 Jul 2004 07:56:37 -0700 (PDT)
Just a quick thought for a business plan. 1) Start off with a low investment of $1200. 2) Buy a couple chunks of Entersys source code from SCC 3) Find vulnerabilities and write 0-day exploits 4) give 0day to your investors 5) sell 0day to iDefense (or Sourcefire hahahahaha) for $300 a pop 6) Use profits of sale to buy more chunks of sourcecode 7) Repeat steps 3-6 until complete 8) Release code as "open source" dimishing its corporate value 9) make a business using this "open source" IDS and compete with Sourcefire hahahahaha 10) Release IPO =D Now, I'm no lawyer, but Hollywood has taught me that its probably illegal to _knowingly_ buy illegal goods (such as entersys source), but! is it illegal for iDefense to buy the research from illegal bought goods? -vx _______________________________________________ Full-Disclosure - We suck it. Charter: http://lists.netsys.com/full-disclosure-charter.html --- idefense () hushmail com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael, you claim that this is a typo, but is it really? Even if this is a typo, how do you explain waiting over a month to contact the vendor? How do you explain past times when iDefense waited over a year to notify a vendor? How does this relate to the iDefense disclosure policy? http://www.idefense.com/legal_disclosure.jsp iDEFENSE will responsibly inform vendors as soon as possible after having learned of a problem with their product(s) or service(s). Note: ".. will responsibly inform vendors as soon as possible after having learned of a problem". There is absolutely no debating that this is pure marketing fluff and not how iDefense operates. Look at their history of vulnerability disclosure and their timelines for proof. The real question becomes, just how unethical and how greedy iDefense really is! Further, are they now rewriting history to desperately protect their already dark image? Witness:
http://seclists.org/lists/fulldisclosure/2004/Jul/0574.html
Adobe Reader 6.0 Filename Handler Buffer Overflow Vulnerability VII. DISCLOSURE TIMELINE 02/02/2003 Exploit discovered by iDEFENSE 03/11/2004 Initial vendor notification Did iDefense sit on this vulnerability for 17 months? Shortly before or after Cary Barker pointed this out on Full-Disclosure
(http://seclists.org/lists/fulldisclosure/2004/Jul/0585.html),
iDefense seems to have had a change of heart!
http://www.idefense.com/application/poi/display?id=116&type=vulnerabilities
02/02/2004 Exploit discovered by iDEFENSE 03/11/2004 Initial vendor notification The first and understandable reaction (excuse) would be "iDefense had a typo", but once again, digging into their past vulnerabilities, is that really the case?! Even if THIS advisory had a typo, how about some others this year?!
http://www.idefense.com/application/poi/display?id=114&type=vulnerabilities
04/03/2003 Vulnerability acquired by iDEFENSE 07/08/2004 Public disclosure
http://www.idefense.com/application/poi/display?id=108&type=vulnerabilities
04/05/03 Vulnerability acquired by iDEFENSE 05/17/04 Public disclosure
http://www.idefense.com/application/poi/display?id=104&type=vulnerabilities
April 2, 2003 Exploit acquired by iDEFENSE May 12, 2004 Coordinated public disclosure Sitting on vulnerabilities for a year before notifying the vendors is not what 'white hat' hackers do. These aren't the actions of a reputable security company. Combine this with the fact you sell this information to people in foreign companies and governments, including some that are "harboring terrorists" (according to our government) makes your actions potentially criminal. What, you haven't checked your client list carefully? Selling vulnerability information to terrorist nations isn't very friendly to the US! Looking back at your 2004 advisories (and some in 2003), could anyone at iDefense explain how their responsible disclosure policy applies? Here is a general idea of their disclosure process and time frames: Advisory Discovery Publish Vend Notify Publish Time 07.12.04 03-02-02 04-07-12 13 mo 7 d 17 mo 10 d 07.09.04 04-06-29 04-07-09 7 d 10 d 07.08.04 03-04-03 04-07-08 14 mo 26 d 15 mo 5 d 07.01.04 03-09-27 04-07-01 8 mo 7 d 9 mo 4 d 06.23.04 04-04-21 04-06-23 14 d 2 mo 2 d 06.21.04 04-02-26 04-06-21 3 mo 13 d 3 mo 25 d 06.10.04 04-04-14 04-06-10 28 d 1 mo 26 d 06.08.04 04-04-27 04-06-07 22 d 1 mo 10 d 06.07.04 03-04-05 04-05-17 13 mo 2 d 13 mo 12 d 05.27.04 04-02-18 04-05-27 20 d 3 mo 9 d 05.26.04 04-02-18 04-05-26 20 d 3 mo 8 d 05.12.04 03-04-02 04-05-12 12 mo 5 d 13 mo 10 d 04.15.04 03-12-08 04-04-15 1 mo 16 d 5 mo 7 d 04.14.04 04-01-09 04-04-14 1 mo 11 d 3 mo 5 d 04.13.04 04-01-12 04-04-13 5 d 2 mo 24 d 04.05.04 04-01-09 04-04-05 1 mo 16 d 2 mo 26 d 03.19.04 04-01-13 04-03-19 24 d 2 mo 5 d 03.09.04 03-10-10 04-03-11 1 mo 2 d 5 mo 1 d 03.02.04 04-01-22 04-03-02 25 d 1 mo 10 d 02.27.04 04-01-13 04-02-27 26 d 1 mo 14 d 02.27.04 04-02-04 04-02-27 6 d 23 d 02.23.04 03-12-08 04-02-23 1 mo 21 d 2 mo 15 d 02.17.04 03-10-31 04-02-17 4 mo 2 d 4 mo 19 d 02.12.04 04-02-09 04-02-12 0 d 3 d 02.10.04 04-01-09 04-02-10 24 d 1 mo 1 d 02.04.04 03-12-08 04-02-02 1 mo 21 d 1 mo 24 d 09.25.03 03-02-25 ? 8 mo 0 d ? 07.29.03 03-04-20 03-07-29 2 mo 11 d 3 mo 9 d 07.01.03 03-03-11 03-07-01 3 mo 0 d 3 mo 19 d 05.22.03 02-12-31 03-05-22 4 mo 17 d 5 mo 22 d 02.12.03 02-10-31 03-02-12 2 mo 29 d 3 mo 13 d 02.03.03 02-01-11 03-02-10 12 mo 9 d 12 mo 29 d "iDEFENSE will responsibly inform vendors as soon as possible after having learned of a problem with their product(s) or service(s)." Five different times, iDefense sat on a vulnerability for OVER A YEAR. They routinely wait one or more months to notify the vendor. Is that "as soon as possible"? Of course not, that would hurt the bottom line. Sincerely, Dark Elf References 07.12.04 - Adobe Reader 6.0 Filename Handler Buffer Overflow Vulnerability
http://www.idefense.com/application/poi/display?id=116&type=vulnerabilities
02/02/2004 Exploit discovered by iDEFENSE 03/11/2004 Initial vendor notification 03/11/2004 Initial vendor response 03/11/2004 iDEFENSE clients notified 06/07/2004 Vendor update released 07/12/2004 Public Disclosure * original full-disc post listed 02/02/2003 discovery date 07.09.04 - wvWare Library Buffer Overflow Vulnerability
http://www.idefense.com/application/poi/display?id=115&type=vulnerabilities
06/29/2004 Initial vendor contact 07/06/2004 Vendor response
=== message truncated === __________________________________ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- iDefense: Solution or Problem? idefense (Jul 13)
- Re: iDefense: Solution or Problem? VX Dude (Jul 14)
- Re: iDefense: Solution or Problem? J.A. Terranson (Jul 14)
- Re: iDefense: Solution or Problem? VX Dude (Jul 14)
- Re: iDefense: Solution or Problem? System Outage (Jul 14)
- Re: iDefense: Solution or Problem? J.A. Terranson (Jul 14)
- Re: iDefense: Solution or Problem? VX Dude (Jul 14)