Symantec Buys SecurityFocus, among others....

[full-disclosure () lists netsys com (full-disclosure () lists netsys com)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> From the Haiku Hacker for Mr. Wysopal:

Houses
- ----------
Fat Checks Are Good Biz
They buy warm houses for March
Is yours made of glass?

> Even if you put a copyright notice on your advisories and give permission
> for non-profits to redistribute, the for-profits will just reword the
> information for their database.  It usually takes several days to research
> and create an advisory and many hours of working with the vendor to get
> them to fix it.  The vuln reporter gets some street cred.  The for-profit
> retypes the information and probably makes a few thousand dollars PER
> ADVISORY.  And several for-profits are doing this.

Or better, thousands per advisory when a consultant for a certain company shows up to audit networks.  What's @stake's 
billable rate these days?

> The only way to stop the leeching is to have a free vulnerability database.
> There could be a site where vuln reporters could enter the information into
> the database themselves.  This database would always be the most up to date
> and the most accurate.  If there was a standardized vuln reporting format
> perhaps the import to the databse could be automated.  Mirroring of the
> database around the world would be encouraged.
>
> I would love VulnWatch to be able to do this.  Any volunteers?

I'll not even touch this.  I could make fun of several hypocrits on this list, but like anybody in the industry that 
actually contributes, I have a regular job; one that doesn't involve stroking and petting my ego.  KTHX.

> Agreed.  I have struggled with the model that exists for many years.  It
> seems the only way to make money off of vuln information is to sell a
> database and the people selling them do not pay the vulnerability
> reporters for their effort. Let's face it.  There would be no security
> information business without all the people donating their knowledge for
> free.
>
> Of all the vuln database companies SecurityFocus has been the best at
> giving back to the community and they say this won't change.  Even so a
> completely non-corporate and free vuln database would be something good for
> the community.

Ok.  I've been a passive observer on this list since receiving an unsoliticed email from the purveyors.  I must admit, 
this has been one of the most educational experiences I've had in my time in this industry.  Look at some of the names 
here:  Jay Dyson, Steve Manzuik, Chris Wysopal, KF, Blue Boar, Len Rose.  Notable hackers.

Now, it's time to cut the shit.

First and foremost, let me say this list is complete dogshit.  I'd like to go on the record with my opinion being that 
moderated mailing lists are a good thing.  It keeps all the fucking whining to a minimum.  You think I actually care 
that your information is being resold?  No!  I just want the information, delivery medium negotiable.  I could give a 
fat rats ass if you get credit, either.  That's one thing I can say for any vulnerability database; at least I don't 
have to listen to a bunch of punkasses and their incessant boohooing; instead, I get just the pertinent information.  
At the end of the day, I don't give a fuck who you are, or how great you think you are; I care that my systems are 
secure, and that's the bottom line.

Second, I've been amazed at what big fucking morons the "esteemed hackers" in the community are.  Especially Chris and 
Jay.  Wow!  I thought you guys were really intelligent, and to some extent, had a moderate amount of respect for you 
two.  The only thing I've seen from any of you at this point is hidden agenda.  You guys are truely disgusting.  You 
guys set the bar for low.  Proof that nothing is ever what it seems.

Third, I can't believe that not a single one of you dickless, amoebic, mental-myopics has even BOTHERED to look at the 
other people in this "industry" that are regularly exploited, and use the information we supply for the sake of 
creating something for the common good.  The first person that comes to mind is Renaud Deraison.  Yeah, you guys are 
fucking brilliant, right?  Make the information copyrighted, so he can't continue to work on a FREE project continually 
exploited, and at least try to sell support so he can pay the fucking rent?  Jesus.

And let's not even talk about Marty Roesch.  If there's another person that knows something about giving heart and soul 
to a project, and continually getting exploited, he's our man.  He runs a great project, and I'll bet not a single one 
of you whining bitches hasn't used it, and if you consult, haven't provided it as a "solution" that you charged some 
company billable hours for.  So now you want to take the information that he needs as well, and restrict him from it?  
Looks to me like he's finally getting his company off the ground, and you guys want to fuck him now too?

I can't believe the amount of fucking "idealists" we have here that think they know how to fix the fucking world by 
fucking the people that actually do some good in it.  Fuck each and every one of you.  I can only hope that one day, 
you finally dislodge your head from your ass and realize the ramifications of your self-serving agenda.  I have my 
doubts about it happening, though.

Furthermore, I'm thankful to see that people like Chris and Jay have actually come out of the closet to show what 
fucking miserable, narcissistic, ugly people they really are.  It's high-time that we finally get an idea of the wheat 
and chaff in this industry, and seperate them.  I still nearly fall off my chair with laughter when I visualize Chris 
sucking up to MS, and trying to push the "responsible disclosure" agenda while moderating an allegedly "full 
disclosure" list, and posting to others.  You're a man of many faces, Chris, all of them in twos.  I'll not even pick 
on Jay; I really feel pity on him.

haiku
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wloEARECABoFAj04VL4THGhhaWt1QGh1c2htYWlsLmNvbQAKCRDCt+udg2XXBxmvAKCQ
Jnp8MzKRvrMZQd6HqG4L+BrtjACfebxiRLkqjo6hCOzXri1xbmLoqdg=
=ANWm
-----END PGP SIGNATURE-----


Communicate in total privacy.
Get your free encrypted email at https://www.hushmail.com/?l=2

Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople