Bugtraq mailing list archives
Re: new iss stuff
From: rwing!pat () ole cdac com (Pat Myrto)
Date: Tue, 10 May 94 21:37:42 PDT
"In the previous message, Andrew Watts said..."
Sure - if you want your security to be dependent on a black box. And you really believe that NO contributed code was not included in it, code for which the orignal writers are not getting a DIME? The price would be reasonable, IF IT INCLUDED SOURCE. But it doesn't. For source its well over a grand. Its back to security through obscurity (only now its 'security through black boxes').
I see you ignored the point I made above. How come I am not surprised? About the price being reasonable if it included source. But source is priced more like it was from AT&Ts toolbox. It only means the well-to-do crackers will be getting it - initially.
Have you seen a copy of the commercial product? Have you asked the supplier for a copy of the source to check your allegation that contributed code was used in it? Because let's face it, you basically just accused them
I said do you really believe it is totally free of contributed code? Code contributers would not be getting a dime for? It would take a past contributer going over it with a fine tooth comb to determine that. And there are a lot of people who have contributed code in one way or another that has worked its way around in the freeware stuff. Yeh, right. He's gonna give me source to inspect - sure if I pay a grand for it. I don't really want to waste my time (or funds in 4 figures) in that regard. Which I have no intent to do. Which was my main point. The fact remains, if it does contain any code or is based on any code that was provided as a patch or a port to another platform, it contains contributed code as far as I am concerned. And I really doubt if those contributers are being offered a piece of the action. Perhaps I am wrong, but I doubt it - or it will be after the point was brought up. I really doubt if they threw all the ideas and code from the old version away, and did it all totally from scratch. If they did, its probably delightfully buggy, because any bugfixes (especially platform specific ones) would be omitted.
of that. Have you also consulted with the supplier to find out what information he will supply regarding what the program checks for, and what holes it attempts to discover and correct? Perhaps the supplier will be more than happy to share with those who purchase this product information about the particular security problems. I don't know these
The point is, when one puts out money, they should know that UP FRONT.
things for a fact, but have _you_ investigated first, it semems you're making alot of assumptions on behalf of the supplier which may turn out to be totally unfounded.
Perhaps. We will see. Maybe they will change their policy and charge a sane price. If that were to occur, I would say a lot of good has been done. Ain't gonna be done because one guy contacts them on the quiet, it will be done if people say "Yeh, what about this?".
The bad taste remains. I smell a gouge playing on fear. If they decide to make the sources affordable, perhaps I will change my viewpoint. Otherwise, they are making the decisions FOR the using admin, not allowing him to decide what he wants to check.How many people who sell word processors provide it with source? How many
This is not a word processor. It is a security analysis tool, with a vendor deciding what you should and should not analyze IN ADVANCE - making the assumption a customer will abuse it UP FRONT. I am so happy he is so delighted to make those decisions FOR you. Sort of like our nanny-at-gunpoint government doing the same for us. It is not expected to run on one or two platforms, but dozens, perhaps hundreds. With all manner of alterations, and adaptations. That does not go well with a one-size-fits-all scheme. That is another reason source is needed for this application - its not going to be run on a canned MSDOS box that is highly predictable. Its going to run on machines the vendor has no way of knowing what all the internal structures are like. And he is surely not expecting someone to give him root access so he can build it on a customer's machine, to run at root privs, and not leave source. Would you let me do that on your machine if I claimed I had a great new widget? I doubt it. I sure as hell wouldn't let someone do it on MINE, unless I knew him WELL. Either personally or via a track record. I see neither here.
companies who sell packages which make minor kernel patches provide it with entire source? Sweet bugger all do. So why should this be any different?
They are usually ESTABLISHED vendors with a track record. I don't see that in this case.
As I said: NO SALE.I Say: Give it a chance. (But then no one probably gives a rats ass what I think, perhaps they dont care what you think either? :)
Lifes a bitch and then you die, too. So what? If they were to offer it with source, for a reasonable price I wouldn't be so negatively inclined (I wouldn't have said anything, most likely), but they DIDN'T, but I mentioned that before, and you chose to ignore it then, too. I expressed my views, I was not surprised all the apologists and obscurity buffs would come out of the woodwork. Go ahead and red-cross, I am done discussing it. I made my views known; the fact they are not Polticially Correct is not something I am particularly concerned about. I gave up 'PC-ness' years ago. There is a differnce between making a product and a profit and trying to gouge the community. But the CLAIMED reason for all this was to 'prevent abuse', not profit. So you figure it out. I still say denying source is a ripoff, justified by exploiting FUD.
Me.
-- pat@rwing [If all fails, try: rwing!pat () ole cdac com] Pat Myrto - Seattle WA "No one has the right to destroy another person's belief by demanding empirical evidence." -- Ann Landers, nationally syndicated advice columnist and Director at Handgun Control Inc.
Current thread:
- Re: [8lgm]-Advisory-7.UNIX.passwd.11-May-1994, (continued)
- Re: [8lgm]-Advisory-7.UNIX.passwd.11-May-1994 Gene Spafford (May 13)
- Re: Time For New Security Package? (was Re: new iss stuff) Mark (May 10)
- Selling binaries Karyn Pichnarczyk (May 10)
- Re: new iss stuff Everett F Batey WA6CRE (May 10)
- Re: new iss stuff root () maths su oz au (May 10)
- Re: new iss stuff der Mouse (May 10)
- Re: new iss stuff Timothy Newsham (May 10)
- Re: new iss stuff jallen () nersc gov (May 10)
- Re: new iss stuff Pat Myrto (May 10)
- Re: new iss stuff Andrew Watts (May 10)
- Re: new iss stuff Pat Myrto (May 10)
- Re: new iss stuff Steven C. Blair (May 10)
- iss: _my_ last two cents der Mouse (May 11)
- Re: new iss stuff Pat Myrto (May 10)
- passwd -F Steve Mitchell (May 10)
- Re: passwd -F Pat Myrto (May 10)
- Re: passwd -F Daniel Azuelos (May 11)
- Re: passwd -F Casper Dik (May 11)