Symantec Buys SecurityFocus, among others....

[full-disclosure () lists netsys com (full-disclosure () lists netsys com)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> As a consulting company that publishes vulnerability information and tools,
> we contribute to the pool that we drink out of.

Oh.  So this is your argument.  You contribute to it, therefore you may use it?  Wait .... I thought you said the 
information should be free for non-commercial use.  Does not taking from the pool to use within a company constitute 
commercial use?  Genius!  So, the "do as I say and not as I do" applies here?  What other double-standards are we also 
applying in this discussion?

You know, Chris, you really puzzle me.  You look a person holding a very sharp axe in their hand directly in the eye, 
then you put your neck on the block.  And you know DAMN WELL I'm going to bring this fucker right down on you.  As you 
wish.

So, now that we've clarified that there is, in fact, a double-standard here, this would explain why a certain vicious 
rumor about the @stake toolkit that somehow found the light of day contains not only many, many publicly available 
exploits, but also some 0day that the vendors have yet to fix.  Tell me, Chris, I'm a little confused how this applies 
to both "Responsible Disclosure" and "information being free for non-commercial use."  From my take, there's nothing 
responsible whatsoever about possessing, and distributing a toolkit that contains exploits for problems that aren't 
even fixed.  To me, it also doesn't constitute "non-commercial use" that this rumored toolkit is used by @stake pen 
testers when they're at a gig.

Why Johnny Ringo .... you look like somebody just walked over your grave.

> So would you use a non-profit database that was populated by the
> vulnerability reporters themselves? That is what I am proposing.

Chris, hellNbak AKA Steve Manziuk can't even read an email, get the point, and intelligently respond.  And he moderates 
a fucking mailing list!  You've got to be shitting me.  Oh, btw Steve, when I want to talk to you, I'll initiate the 
conversation; I have little time to waste on your inate ability to read and not comprehend.

What about the folks that don't speak English as a first language, or no English whatsoever?

In short, yeah, you could say I'm skeptical.  And what's going to stop other information security companies from using 
it anyway?  If the data is freely available, it's there for the harvest.  If you want to prevent it from being 
exploited by outside parties, you have to neuter it to where there's no details whatsoever.  Then, it becomes roughly 
tits on a boar.

FYI, as I recall, the information in the Bugtraq Database is freely available to the public through their web site 
anyways.  Perhaps you may have overlooked this.

> For wanting a public vulnerability database?  This is what the security
> community is currently missing in a public and open format. There are open
> source NIDS, vuln scanners, and other security tools. There are public
> security mailing lists. There is a public vuln dictionary, CVE.  But there
> is no public vuln database.  Why is everything else good to have
> non-commercial alternatives for except a vuln database?  The open source
> tools could tie into it.

The open source tools could tie into it.  Open Source != Non-Commercial.

Ok, as I recall, Renaud was at least making a little money off his project by offering support, while the rest of these 
pentest dirtbags exploiting Nessus (oh yeah, that's right, the alleged @Stake toolkit had Nessus sigs, did it not?) for 
whatever fee.  Now, correct me if I'm wrong here, but first, doesn't this mean that Renaud would no longer be able to 
offer commercial support for his product?  I think so.

And I believe the same applies to Marty, as Sourcefire is offering commercial products built on Snort.  Gee, what a 
fucking HUGE hole in your logic.  And, you additionally fuck them in the process.  Good job.

> I certainly didn't mention restricting information.  A public vulnerability
> database would require the information to be open so that it could be in
> the database.

Ok, so you have a database that can be used commercially, or you don't.  Notice how there's no fucking in-between?  And 
what if a person wants to use the "non-commercial database" in their commercial product?  Does this now require a 
licensing fee?  Or do you just turn them away?  This has sham written all over it.

And of course, how does this differ from the Bugtraq Database?

> @stake employees have contributed to the Snort project. I actually was
> using Snort earlier today on a product pen test.  It's great.  Marty has
> created something wonderful. A public vulnerability database would enhance
> Snort not hurt it.  We don't really do implementation work but we have
> recommended to some of our customers that they install Snort.

Horseshit.  Non-commercial != Public, and vice-versa.  The Bugtraq Database is public.

How does Marty benefit from the database by no longer being able to use it?  It sure as hell doesn't help his 
commercial venture, as near as I can tell.

> You can support the First Amendment and still limit what you personally say
> and write.  I choose not to be vulgar in my list postings and I might even
> advocate for others to not be vulgar but I would never want to ban that
> langauge.  I think it is a benfit to security if people can patch their
> boxes before exploits are written.  Nothing is a single bullet solution but
> I think that certain disclosure practices can help make this happen.
> Obviously a lot has to be done better on the vendor side.  So while
> advocating for people to follow certain disclosure practices I still don't
> think there should be a law restricting free speech.  Once someone has
> chosen to publish information they are going to publish it.  It is better
> for the community that VulnWatch approve these messages so that everyone
> can get the information at the same time.

I really wish you weren't so two-faced, paradoxial, and self-righteous.  And on that note, how does this make VulnWatch 
any different from any other security mailing list?  Securiteam does the same thing.  This list allegedly does the same 
thing.  Bugtraq does the same thing.

Bottom-line, there's going to be people that make money off security information whether you like it or not.  @Stake 
does.  SecurityFocus does.  ISS does.  NAI does.  Even CERT does.  Welcome to the capitalist world; leave your agendas 
and egos at the door.  Any company that uses information/software provided by them tends to make money, as they spend 
less time down due to security incidents.  Funny how economics work, isn't it?

If you don't like it, might I recommend you move to Cuba?  I hear they're still communist there, and you may find their 
way of thinking more inline with yours.  I'd suspect you're not going to enjoy the same standard of living, though.

haiku
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wloEARECABoFAj04oMwTHGhhaWt1QGh1c2htYWlsLmNvbQAKCRDCt+udg2XXB+ofAKCR
2eoCWaSG38HxQvUSeoHzHoJFMwCfV6BbSTdti70x5YCbA3CB4NTtv9A=
=Ra4B
-----END PGP SIGNATURE-----


Communicate in total privacy.
Get your free encrypted email at https://www.hushmail.com/?l=2

Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople