Re: new iss stuff

[rwing!pat () ole cdac com (Pat Myrto)]

"In the previous message, Andrew Watts said..."
> > Sure - if you want your security to be dependent on a black box.  And
> > you really believe that NO contributed code was not included in it, code
> > for which the orignal writers are not getting a DIME?  The price would
> > be reasonable, IF IT INCLUDED SOURCE.  But it doesn't.  For source its
> > well over a grand.  Its back to security through obscurity (only now
> > its 'security through black boxes').

I see you ignored the point I made above.  How come I am not surprised?
About the price being reasonable if it included source.  But source
is priced more like it was from AT&Ts toolbox.  It only means the
well-to-do crackers will be getting it - initially.

> Have you seen  a copy of the commercial product? Have you asked the supplier
> for a copy of the source to check your allegation that contributed code
> was used in it? Because let's face it, you basically just accused them

I said do you really believe it is totally free of contributed code?
Code contributers would not be getting a dime for?  It would take
a past contributer going over it with a fine tooth comb to determine that.
And there are a lot of people who have contributed code in one way or
another that has worked its way around in the freeware stuff.

Yeh, right.  He's gonna give me source to inspect - sure if I pay a
grand for it.  I don't really want to waste my time (or funds in 4
figures) in that regard.  Which I have no intent to do.  Which was my
main point.  The fact remains, if it does contain any code or is based on
any code that was provided as a patch or a port to another platform, it
contains contributed code as far as I am concerned.  And I really
doubt if those contributers are being offered a piece of the action.
Perhaps I am wrong, but I doubt it - or it will be after the point
was brought up.

I really doubt if they threw all the ideas and code from the old version
away, and did it all totally from scratch.  If they did, its probably
delightfully buggy, because any bugfixes (especially platform specific
ones) would be omitted.

> of that. Have you also consulted with the supplier to find out what
> information he will supply regarding what the program checks for, 
> and what holes it attempts to discover and correct? Perhaps the supplier
> will be more than happy to share with those who purchase this product
> information about the particular security problems. I don't know these

The point is, when one puts out money, they should know that UP FRONT.

> things for a fact, but have _you_ investigated first, it semems you're
> making alot of assumptions on behalf of the supplier which may turn
> out to be totally unfounded.

Perhaps.  We will see.  Maybe they will change their policy and charge
a sane price.  If that were to occur, I would say a lot of good has
been done.  Ain't gonna be done because one guy contacts them on the
quiet, it will be done if people say "Yeh, what about this?".

> > The bad taste remains.  I smell a gouge playing on fear.  If they decide
> > to make the sources affordable, perhaps I will change my viewpoint.
> > Otherwise, they are making the decisions FOR the using admin, not allowing
> > him to decide what he wants to check.
>
> How many people who sell word processors provide it with source? How many

This is not a word processor.  It is a security analysis tool, with a
vendor deciding what you should and should not analyze IN ADVANCE -
making the assumption a customer will abuse it UP FRONT.  I am so happy
he is so delighted to make those decisions FOR you.  Sort of like our
nanny-at-gunpoint government doing the same for us. It is not expected
to run on one or two platforms, but dozens, perhaps hundreds.  With all
manner of alterations, and adaptations.  That does not go well with a
one-size-fits-all scheme.  That is another reason source is needed for
this application - its not going to be run on a canned MSDOS box that
is highly predictable.  Its going to run on machines the vendor has no
way of knowing what all the internal structures are like.  And he is
surely not expecting someone to give him root access so he can build it
on a customer's machine, to run at root privs, and not leave source.
Would you let me do that on your machine if I claimed I had a great new
widget?  I doubt it.  I sure as hell wouldn't let someone do it on MINE,
unless I knew him WELL.  Either personally or via a track record.  I
see neither here.

> companies who sell packages which make minor kernel patches provide
> it with entire source? Sweet bugger all do. So why should this be any
> different? 

They are usually ESTABLISHED vendors with a track record.  I don't
see that in this case.

> > As I said:  NO SALE.
>
> I Say: Give it a chance. (But then no one probably gives a rats ass what I
> think, perhaps they dont care what you think either? :)

Lifes a bitch and then you die, too.  So what?

If they were to offer it with source, for a reasonable price I wouldn't
be so negatively inclined (I wouldn't have said anything, most likely),
but they DIDN'T, but I mentioned that before, and you chose to ignore
it then, too.  I expressed my views, I was not surprised all the apologists
and obscurity buffs would come out of the woodwork.

Go ahead and red-cross, I am done discussing it.  I made my views known;
the fact they are not Polticially Correct is not something I am
particularly concerned about.  I gave up 'PC-ness' years ago.  There is
a differnce between making a product and a profit and trying to gouge
the community.  But the CLAIMED reason for all this was to 'prevent
abuse', not profit.  So you figure it out.  I still say denying source
is a ripoff, justified by exploiting FUD.

> Me.

-- 
pat@rwing  [If all fails, try:  rwing!pat () ole cdac com]  Pat Myrto - Seattle WA
"No one has the right to destroy another person's belief by demanding
empirical evidence."  --   Ann Landers, nationally syndicated advice columnist
and Director at Handgun Control Inc.