Penetration Testing mailing list archives
RE: Scanners and unpublished vulnerabilities - Full Disclosure
From: Alfred Huger <ah () securityfocus com>
Date: Tue, 28 May 2002 18:54:52 -0600 (MDT)
I couldn't agree more. I personally see it as a ploy touting the fact
that
their purchasable product will now and then be able to look for some vulnerabilities that other products wont be able to.
And this is wrong how? If David can protect his customers on a pro-active basis and allow them assess their own risk I can't see how you find fault in it.
I think its irresponsible to try to pawn off a marketing scheme as
something
that will help benefit the security community, or help the process of getting vulnerabilities fixed.
Ok, that's a bit much. There is not a vendor or security team in existence who is publishing security alerts for posterity alone. It's in most if not all cases a situation whereby companies or individuals are either marketing their product or talent. Start, stop, finish. People can paint up their motivations in any way they suspect they might be more palatable to the general public but let's not fool ourselves here our industry is not driven by benevolence. Further there is *nothing* wrong with this because regardless of your motivation the net result if handled properly helps everyone involved.
Giving out details of any nature, before their is a patch, is never the
best
route and should be used as a last resort, not a first.
If you read the VNA I think you'll see this is the case.
I also do not agree with the statements about people not being able to figure out exact details of the vulnerabilities based on the "VNA"'s.
I think your wrong here. By all means dig into his VNA and prove me wrong.
If you publish details saying XYZ product has a flaw, this is how you
work
around it, and here is a product which can scan your network for it, then people will FOR SURE be able to pinpoint the flaw and start widely exploiting it while we all wait for a vendor patch.
This is a strong statement with little or no evidence. Ballista, ISS and Cerberus have all had non-published vuln checks in them. Can you point out any instance where this turned into wholesale attacks from reverse engineering?
A researcher finds a flaw, why should they not be able to give that information to paying customers
(under
NDA) while the researcher waits for a vendor to fix the vulnerability? I
am
not saying I agree with that, but for people like David who have are good
at
finding vulnerabilities, it only makes sense to try to figure out how to make a living off of that talnet... wrong or right no opinion.
A salient point to remember here is that David and his team are hardly alone in their ability to discover vulnerabilities. Finding heap/buffer overflows, format string bugs, race conditions etc. is no longer an arcane science. It does not require strong programming skills (in the professional sense). Simply put it's fairly simple to do and therefore you should assume that it's being done en masse. The question is not whether David's company should be able to profit off of their research, that I think is a no brainer. The issue is should they follow their policy as stated in the VNA? The answer to this I think is also a no brainer. Yes.
I do see it as being a big problem, and totally unethical, if you start to manipulate the situation into being one of a strong arm style tactic where its "give
me Hmm, I know people have attacked your credibility on issues like this in the past. Has your position changed or are you a touch gun shy now?
money, so you stay protected" .... equating it to store owners having to
pay This is hardly extortion it's the principle on which the security industry is run. Buy a firewall or you're exposed to the unwashed masses, buy this scanner or your network will be littered with security vulnerabilities, buy our encryption or your data will be purloined and so on and so forth. People are buying our products to protect themselves there are no illusions about this.
off local thugs so they don't go bashing their place up.
Loading up the conversation with this type of imagery boarders on ridiculous. The same folks who use language like this are the same myopic types who villified eEye over CodeRed.
Not that I am saying this is what is happening here. Once again, I just think this is a really poor marketing ploy. But hey its working... were all discussing
it,
as dumb as it all is.
David did not bring this issue up - I did. I do not own part of his company, use his product or even know him. The only people I have ever plugged in 4 years of running this list are CORE ST and they deserved it. Cheers, -al VP Engineering SecurityFocus "Vae Victis" ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Re: Scanners and unpublished vulnerabilities - Full Disclosure, (continued)
- Re: Scanners and unpublished vulnerabilities - Full Disclosure Vanja Hrustic (May 29)
- Re: Scanners and unpublished vulnerabilities - Full Disclosure Brad Mills (May 29)
- Re: Scanners and unpublished vulnerabilities - Full Disclosure batz (May 29)
- Re: Scanners and unpublished vulnerabilities - Full Disclosure David Litchfield (May 29)
- Re: Scanners and unpublished vulnerabilities - Full Disclosure batz (May 29)
- Re: Scanners and unpublished vulnerabilities - Full Disclosure Jon Bull (May 30)
- Re: Scanners and unpublished vulnerabilities - Full Disclosure David Litchfield (May 30)
- Re: Scanners and unpublished vulnerabilities - Full Disclosure hellNbak (May 30)
- Re: Scanners and unpublished vulnerabilities - Full Disclosure J Jacoby (May 31)
- Re: Scanners and unpublished vulnerabilities - Full Disclosure David Litchfield (May 29)
- Re: Scanners and unpublished vulnerabilities - Full Disclosure Vanja Hrustic (May 29)
- Re: Scanners and unpublished vulnerabilities - Full Disclosure Patrik Birgersson (May 29)
- Re: Scanners and unpublished vulnerabilities - Full Disclosure Philippe De ARAUJO (May 30)
- RE: Scanners and unpublished vulnerabilities - Full Disclosure Samuel Cure (May 31)